May 17, 2012

Posts Comments

You are here: Home / Archives for Energy

Registration Now Open for AssurX's Electric Reliability Virtual Summit

January 14, 2010 By 1 Comment

WHEN: Thursday, January 28, 2010 – 10 am – 2pm (Pacific)

REGISTER: https://www2.gotomeeting.com/register/554360930

WHO SHOULD ATTEND: All AssurX Energy/Utility Customers

AGENDA:

How to Manage NERC CIP Workflows & Documentation
NERC CIP Compliance Management – CIP-002 thru CIP-009 reached the Auditably Compliant stage July 1st, 2009. In this talk we will take a look at best practices for managing CIP workflows including configuration change management and process/plan review workflows.

How to Manage a NERC Compliance Framework
Part of a NERC audit includes submitting information about how your internal documentation (i.e. procedures, policies, etc.) relates to each applicable requirement. This presentation will demonstrate how CATSWeb ER can be used to establish this compliance framework.

NERC Standard Update Service
View how the NERC Standard Update Service is used to import new NERC standards and file attachments into your CATSWeb ER system.

Self Certification
Using the new CATSWeb 16Q Service Pack rules engine, view how your self-certification preparation process can be automated to create and assign all Gap Analysis records and monitor when all Gaps have been completed.

Using CATSWeb for PRC-005-1 Compliance
Demonstration of CATSWeb configured as a standalone system as well as an integration hub with various Work Order Management, ERP and Test Systems assuring that assets which effect the BES are in PRC-005-1 compliance.

Taking your CATSWeb ER system beyond your expectations
An opportunity to learn how companies use CATSWeb ER to steamline the management of documents, assets, approvals, certifications, testing, exceptions, etc.

Sessions will last anywhere from 20 – 45 minutes each and will be followed by a 5 – 10 minute Q&A, as well as a midway break. This four hour event will be recorded and available for replay shortly afterwards. Presentations will be available for download immediately following the event.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Company News, Electric Reliability, Regulatory, Tamar June Tagged With: , , ,

Time to Shift Some Priorities When Tackling NERC Requirements

May 13, 2009 By Leave a Comment

electricitylightbulbBased on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance.  We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.

Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments.  For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:

  • Initiate the review
  • Perform the review and document any recommendations for change
  • Approve the determination and recommendations
  • Implement all approved changes
  • Request approval that that changes were implemented and close the review
  • Schedule the next review based on the required period

Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Regulatory, Sal Lucido Tagged With: , ,

New NERC Standards Too Tough to Decipher

May 11, 2009 By Leave a Comment
Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

My heartfelt sympathies go out to anyone who has to wade through the new North American Electric Reliability Corporation’s (NERC) new cyber security standards.

Last week (May 6), NERC trumpeted the fact that eight revised cyber security standards for the North American bulk power system were approved by its independent Board of Trustees. That approval wrapped up phase one of NERC’s cyber security standards revision work plan, launched last July. “Work continues on phase two of the revision plan, with version three standards already under development” NERC said in a release that might inspire more fear in the hearts of those who must comply with, but first actually decipher, these regulations.

“I wouldn’t call these huge changes, but I might call them confusing ones,” Paul Fricke, Quality Manager at AssurX,  told me recently. “The effective dates are confusing and it’s not clear at all when some of the regulations actually take effect. For example CIP-007-2, Effective Date: The first day of the third calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).

On the plus side, Paul applauds that NERC removed vague and difficult to measure Violation Severity Level elements from the compliance section, e.g. CIP-006-2. On the down side, NERC punted on defining Violation Severity Levels (VSLs), saying they will define them later (CIP-002-2). Until they make those VSLs clear, “utilities will not necessarily know right away what their [potential] risk penalty is, and that’s assuming they’ve been able to define the risk level in the first place.”

But however you slice it, these standards need to be improved to include clear and concise information. The “Sanction Guidelines of the North American Electric Reliability Corporation” in “Appendix A: Base Penalty Amount Table” denotes a matrix of Violation Risk Factor by Violation Severity Level which is used to determine a fine range by the respective axis element. To assist stakeholder’s and users of the standards, it would seem reasonable to clearly define and specify these in the actual FERC approved standard. Instead, these (if defined at all) are referenced for the most part in separate documents (RSAWs, VSL Matrix, VRF Matrix) which may or may not be up to date on the NERC website. It’s time for NERC to step up and specify risk factors and violation severity levels in the NERC standards.

You can begin the search for the standards, effective dates, and your part in all of this here: http://www.nerc.com/filez/standards/Mandatory_Effective_Dates_United_States.html
Here’s a link to the actual news release: http://www.nerc.com/news_pr.php?npr=308

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey, Regulatory Tagged With: , , ,

NERC Standards Management: Beyond the Spreadsheet

April 16, 2009 By Leave a Comment

ElectricitySunsetBlue150As we all know on August 8, 2005, President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards among all market participants.  The electric industry has had to adjust to the change from a voluntary system of compliance to a mandatory system of reliability standards compliance.  In order to deal with this situation most organizations decided to use their favorite weapon – the spreadsheet. It was a great choice given there was a lot of information that needed to be organized in a very short period of time, including: standards, requirements, entities, measures, subject matter experts, applicable procedures, evidence of compliance and the list goes on.

However, once these spreadsheets were filled up with reams of data on dozens of interconnected worksheets, problems began to surface:

  • Complexity: Documenting the relationships of each applicable requirement to applicable procedure, compliance rationale for each of the registered entities within the organization quickly becomes a rat’s nest of intertwined data.
  • Maintenance: As new and revised standards are released just managing changes to these spreadsheets becomes more then a full-time job.
  • Doesn’t Manage Tasks: Analysis of compliance to requirements usually requires assigning tasks, which implies management of assignees, due dates along with documenting the task and the outcome.
  • Silos of Information: Spreadsheets by their vary nature are typically owned by one person and are located on that individual’s computer. After a while most companies learn that there is more than one spreadsheet. In fact several people in various parts of the organization are maintaining this information with overlapping data and most of the time without knowledge of each other.

This is when it makes sense to use a corporate-wide compliance management system that can deal with the complexity of the data, can be easily maintained with new and revised standards and manage task assignments, due dates (with automatic email reminders) and associated procedures and evidence.

Technorati Profile

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Featured, Sal Lucido Tagged With: , , ,
Newer Posts »