With more and more emphasis being placed on the CIP requirements, some NERC registered entities may be tempted to “relax” and decide that  they are not deemed classified as a Critical Asset. A word of advice: Take a deep breath and think carefully. If you think that it is just too hard to get compliant and the easiest solution is to just declare that you are not critical, you are very mistaken.

Several attorneys that work in the NERC space have commented that those who deliberately or appear to have otherwise deemed themselves to not be critical simply to avoid having to comply, will most likely face egregious fines from NERC…and we’re talking in the millions of dollars. On the same side of this coin, if your CIP program is so weak that you are judged to not be in compliance, you could suffer much larger financial losses, in addition to any fines, if you are the victim of a cyber attack or an interruption due to your failure to comply.

NERC and FERC have made it very clear from the beginning that they are serious about having registered entities comply with their rules and regulations. Since June 2007, NERC fines total more than $35 million and the FERC fines are almost $120 million.

If your organization doesn’t have the appropriate staff on hand to get the job done, then you have two valid options: 1) hire the appropriate staff, or  2) hire a competent consulting firm. Don’t think that you, as a registered entity, are going to be able to “slip one by” the auditor. The eight RRO’s as well as NERC and FERC have hired on some very skilled cyber security auditors that know what to look for and also where to look. These auditors are very good and the only way to “beat them” is to have a great CIP compliance program in place.

You may ask, “how long does it take to get compliant…and for how much”. This is not an easy question to answer as there are numerous variables that determine the answers to these questions. A few variables are…what is your current state of readiness; have you leveraged from other compliance effort areas such as Sarbanes-Oxley, HIPPA and PCI; have you tested your current state of readiness against a mock audit? There are dozens of factors that must be considered before you can even guess at the timeframe and associated costs. One thing is for sure though…it will cost you a lot less money to get compliant than it will for you to “keep your head in the sand”.

James Holler is founder of Abidance Consulting.

H.R. 5026 Grid Reliability and Infrastructure Defense Act or the ‘‘GRID Act” as is it known, is setting the table to allow the current Administration to nationalize the grid. There, I said it!

This piece of legislation passed the House Energy & Commerce Committee unanimously 47-0. Apparently no sane person on the committee read this document as it allows the President to declare an “emergency” – (Page 6, Lines 10-18) Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination identifying an imminent grid security threat, the Commission may, with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threat. That applies to the entire grid, an RRO or even a single facility – (Page 7, Lines 9 – 15) An order for emergency measures under this subsection may apply to —

(A)  the Electric Reliability Organization;

(B)  a regional entity; or

(C) any owner, user, or operator of the bulk-power system or of defense critical electric infrastructure within the United States.

The GRID Act requires a facility to protect against Electromagnetic Weapons (non-nuclear), Geomagnetic Storms, a direct attack on a facility or its systems using an electromagnetic weapon and/or a geomagnetic storm causing adverse effects on the reliability of the Bulk Electric System.

Um, if you plan on monitoring the sun for storm activity and have a “Magic 8-Ball”, you might be able to figure out how to detect and protect against these issues. If you don’t happen to possess these monitoring abilities, then just plan on getting fined or having an “emergency” declared against you.

Oh, and just in case you weren’t aware, if an emergency is declared against your facility, FERC will step in and take control of your facility(ies) until the President has determined that the emergency is over. This is the same President who recently said at Hampton University that he did not know how to use an iPod, iPad, Xbox or a PlayStation. This is the very same President who wants the ability to declare an emergency on the grid!

There is one shining light in all of this. That light is your ability as a registered entity to recover your expenses in getting compliant either through rate increases or, if that’s not possible, Congress will put in place a “mechanism” (new taxes) so that you can recover your costs. The other light…I think this light is from an oncoming locomotive…is one that allows Congress to force you to turn over all of your documentation, regardless of its sensitivity, for their full review. Mmmmm makes me feel all warm and fuzzy to think that Congress will now be able to review and, at their whim, make all of our power producers documents a matter of public record. Check Please!

Read the entire ruling here.

Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.

Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.

His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.

Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”

It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.

Stay tuned.

Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com

Click here for more information about NERC compliance.

WHEN: Thursday, January 28, 2010 – 10 am – 2pm (Pacific)

REGISTER: https://www2.gotomeeting.com/register/554360930

WHO SHOULD ATTEND: All AssurX Energy/Utility Customers

AGENDA:

How to Manage NERC CIP Workflows & Documentation
NERC CIP Compliance Management – CIP-002 thru CIP-009 reached the Auditably Compliant stage July 1st, 2009. In this talk we will take a look at best practices for managing CIP workflows including configuration change management and process/plan review workflows.

How to Manage a NERC Compliance Framework
Part of a NERC audit includes submitting information about how your internal documentation (i.e. procedures, policies, etc.) relates to each applicable requirement. This presentation will demonstrate how CATSWeb ER can be used to establish this compliance framework.

NERC Standard Update Service
View how the NERC Standard Update Service is used to import new NERC standards and file attachments into your CATSWeb ER system.

Self Certification
Using the new CATSWeb 16Q Service Pack rules engine, view how your self-certification preparation process can be automated to create and assign all Gap Analysis records and monitor when all Gaps have been completed.

Using CATSWeb for PRC-005-1 Compliance
Demonstration of CATSWeb configured as a standalone system as well as an integration hub with various Work Order Management, ERP and Test Systems assuring that assets which effect the BES are in PRC-005-1 compliance.

Taking your CATSWeb ER system beyond your expectations
An opportunity to learn how companies use CATSWeb ER to steamline the management of documents, assets, approvals, certifications, testing, exceptions, etc.

Sessions will last anywhere from 20 – 45 minutes each and will be followed by a 5 – 10 minute Q&A, as well as a midway break. This four hour event will be recorded and available for replay shortly afterwards. Presentations will be available for download immediately following the event.

Based on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance.  We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.

Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments.  For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:

• Initiate the review
• Perform the review and document any recommendations for change
• Approve the determination and recommendations
• Implement all approved changes
• Request approval that that changes were implemented and close the review
• Schedule the next review based on the required period

Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.