February 4, 2012

Posts Comments

You are here: Home / Archives for FERC

The Next Steps to Prepare for NERC’s FFT Reporting

October 17, 2011 By Leave a Comment

Vice President, Energy & Utilities Compliance, AssurX Inc.

To continue the discussion on NERC’s new compliance enforcement initiative – Find, Fix, Track and Report (FFT Report),  there are a couple important things to consider as this new process is implemented.

NERC and the Regional Entities (RE) will be watching and reviewing the registered entities on prompt self-reporting of the potential violation, risk associated with the discovered issue, and the mitigating activities; either ones completed or the tasks that are underway.  The Regional Entities will be assigning a unique tracking number for the self-reports as they do now.  What will now take place during their evaluation is the severity of the risk to BPS, and the time discovered by the registered entity to the time reported to the RE.  NERC and the Regional Entities still urge all registered entities to notify their region as soon as a possible violation is discovered.

Registered entities with a strong compliance program will identify the potential violation and investigate internally with the proper resources as quickly as possible.  They will take immediate corrective actions to mitigate the discovered issue.  The registered entity will enter the issue into their corrective action tracking system and disposition to appropriate individual/department.  Such tracking systems trend and categorize all level of issues to assist management with identification of trends and areas of improvement.  This might initiate an internal self-assessment or even a root cause evaluation if the level has been determined severe.

The initiative that was submitted to FERC on September 30, 2011, stated that the registered entity’s compliance program, mitigation and corrective action programs, internal controls and culture of compliance will have an impact on how the Regional Entities evaluate the potential violation.  Key elements to promote these internal behaviors within an organization are:

  • Effective identification
  • Objective self-assessments
  • Internal evaluations, tracking, fixing, and trending issues

Identification of even low-level issues can help prevent larger issues that could have a major impact on the BPS.  The proper environment that encourages employees to bring up and identify issues is an important step.  This can only be done if management fosters this environment and encourages and rewards employees for discovering issues.  Senior management that demonstrates this will be taking the proper steps for building a strong culture of compliance.

The next FFT Report blog post will discuss the importance of an internal self-assessment program looking at all aspects of a good compliance program to ensure that the registered entity build and maintain strong internal programs.

You can follow Trey on Twitter.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Trey Kirkpatrick Tagged With: , , , ,

Do You Know About Heavyweight NERC CIP 011-1?

July 26, 2011 By Leave a Comment
Ron Lepofsky

Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

 

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Regulatory, Security Tagged With: , , , ,

71.6% of all NERC Fines for the May 26th Period Were CIP Related Violations

May 31, 2011 By Leave a Comment

The NERC fines for the May 26th period are out and 71.6% of all financial penalties were CIP related. This is a clear indicator that registered entities are having troubles with CIP-004, CIP-007, CIP-008 and CIP-009. There were fines for all of the other CIP requirements, but the four mentioned requirements seem to be the biggest headaches. We have also heard from NERC and FERC that Registered Entities are still not completing their Internal Compliance Programs as directed by FERC.

To view the latest NERC fines, go to http://www.nerc.com/filez/enforcement/index.html

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: James Holler Tagged With: , , ,

Taking a Utility From a Culture of Complacency to a Culture of Compliance

May 3, 2011 By 1 Comment

Vice President, Energy & Utilities Compliance

As the Electric Reliability Organization (ERO) continues to mature and provide leadership for electric reliability, there have been many changes over the last four years. One of the most recent NERC initiatives is working with the industry on reliability excellence with a risk-based approach. Gerry Cauley, President and CEO of NERC, has continuously emphasized the “Five Key Success Factors” for building a foundation of public trust. These five key success factors include:

  1. Risked based approach, with reliability performance measurably improving
  2. Reliability-learning, self-correcting industry
  3. Culture of compliance, enforcement backstop
  4. Commitment to security/resilience of grid
  5. Positive relationships and reputation

NERC and the Regional Entities will start conducting more reviews and assessments on registered entities regarding “Risk Based Compliance Monitoring.” All Regions are moving toward evaluations of internal compliance programs based on the FERC “13 questions” provided in the 2005 orders. Some Regional Entities are already sending surveys to their entities trying to learn more about the internal compliance culture in these organizations. They will be reviewing internal processes and procedures. They will also review such things as: the number of violations discovered via audits or investigations, repeat violations, number of mitigation plans, etc.

FERC Orders

Policy Statement on Enforcement Docket No. PL06-1-000, 113 FERC ¶ 61,068 (October 20, 2005)

Revised Policy Statement on Enforcement Docket No. PL08-3-000, 123 FERC ¶ 61,156 (May 18, 2008)

Policy Statement on Compliance Docket No. PL09-1-000,125 FERC ¶ 61,058 (October 16, 2008)

Policy Statement on Penalty Guidelines Docket No. PL10-4-000, 130 FERC ¶ 61,220 (March 18, 2010)  suspended on April 15, 2010

Revised Policy Statement on Penalty Guidelines Docket No. PL10-4-000,132 FERC ¶ 61,216 (October 17, 2010)

Many businesses in a regulated industry such as financial, life sciences, and nuclear industry have lived through these changes and have continuously improved their internal compliance and regulatory programs. Many have built strong Culture of Compliance programs. I have seen and been a part of some very strong Culture of Compliance programs. Some of the key elements of these programs are senior management involvement that provides strong leadership and holding individuals accountable. This is so important when implementing the critical elements of a Culture of Compliance.

Another important part of building a better compliance culture is establishing an organization that self-identifyies and self-corrects issues. One of the most important aspects of this internal initiative is implementing a robust corrective and preventive action (CAPA) program. Every individual in an organization must be trained on the process and tools of this program; management must continuously support the employees identifying issues; and preventative steps must be assigned and completed.

Corrective and Preventive Action (CAPA) Workflow

AssurX has developed a white paper on how to build the key elements of the “Culture of Compliance” program. Download your copy here to learn more.

You can also follow Trey on Twitter.

 

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Featured, Quality Management, Regulatory, Trey Kirkpatrick Tagged With: , , , ,

Introducing AssurX One: A complete, affordable, single source compliance solution for small- to medium-sized utility companies

April 28, 2011 By Leave a Comment

The AssurX One program provides small- to medium-sized utility companies a single source solution to implement a world-class compliance management system. Included are best practice pre-configured workflows, dashboards with real time metrics, automatic regulatory updates, a secure (SAS 70 Type II certified) OnDemand system, Web-based implementation and training, along with industry focused Webinars and workshops.

Built-in metrics, robust help files and an easy dashboard-centric user interface require minimal training to get up and running quickly.

AssurX One system consistently tracks, measures and demonstrates compliance for an array of NERC and regional standards and requirements, including annual policy reviews, to asset and cyber security management, and document control.

Included in the AssurX One program:

  1. Best practices, pre-configured workflows (NERC gap analysis, self-certification schedules/calendars, document control, cyber security management), dashboards and metrics.
  2. Hosted on a secure, OnDemand system with preloaded NERC and regional standards and automatic regulatory updates.
  3. Web-based implementation and training. Tutorials provided for each workflow.
  4. Exclusive industry focused compliance Webinars and workshops.

For more information, download the detailed brochure (PDF):

 

 

 

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Company News, Electric Reliability, Product News, Tamar June Tagged With: , , , , ,

The Top 10 FERC Enforceable Standards in 2010

March 22, 2011 By Leave a Comment

Last year we blogged about the top 10 FERC enforceable actions for the NERC standards, with PRC-005-1 violations leading the pack. As you can see in the chart below, 8 out of the top 10 violations are CIP related. So, what changed?

FERC Top 10 Enforceable 2010

According to Trey Kirkpatrick, VP, Energy and Utilities Compliance for AssurX, “With the emergence of the CIP standards into the NERC and Regional Entities CMEP program, registered entities are self-reporting more CIP violations.  The entities are finding that documentation of personnel training and system security management continue to be an area for improvement. The registered entities are taking action with proper mitigation plans that are approved by the Regional Entities and NERC. They are also continuing to learn from other areas such as; nuclear power and health sciences how to instill a ‘Culture of Compliance’ in their workforce.”

And, as stated in NERC’s February 2011 Newsletter:

The Department of Energy (DOE) is launching an initiative to enhance cyber security on the electric grid. The initiative, led by the Department¹s Office of Electricity Delivery and Energy Reliability (OE), the National Institute of Standards and Technology (NIST), and the North American Electric Reliability Corporation (NERC), will be an open collaboration with representatives from across the public and private sectors to develop a cybersecurity risk management process guideline for the electric sector.

The Regional Entities and NERC are also performing more on-site audits and spot-checks. They are discovering implementation inconsistencies between entities and are sharing those lessons learned with FERC and the registered entities.  NERC has standard teams currently revising the next version of the CIP standards.  AssurX will continue to follow these revisions in updates to our readers in future blogs.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Tamar June Tagged With: , , , , ,

NERC Is Getting Serious About Financial Penalties

February 28, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

As is evident by the latest round of financial penalties (February 23, 2011) from NERC, the time for forgiveness is over. $1,145,500 in financial penalties were handed down to 24 organizations according the latest statistics — and none were zero dollar fines.

With penalties ranging from $3,000 all the way up to a whopping $450,000, and with the average penalty at just under $48,000, now is the time to ensure that your NERC compliance program is tightened down.

In the past, we have stressed the importance of training your staff; testing your various procedures as well as maintenance programs for completeness and accuracy; and, using different methods and methodologies to ensure your NERC compliance program is complete and ready to be audited by your Regional Entity and/or NERC at a moment’s notice.

So, with that said, let’s go back over a check-list of the areas that you will need to ensure are addressed in order to keep from having your organization’s name listed on the NERC Enforcement Actions Web page.

The following list is in no particular order, so don’t think you need to follow this in chronological order.

  • Internal Compliance Program (FERC Required — FERC released a guidance document on this back in 2008 — use it!)
  • Pandemic (Critical Assets Only — Use the CIKR documentation on the DHS website as guidance)
  • Facility Ratings Methodology (it better be more than one or two pages — ours average 39 pages)
  • Maintenance and Testing programs for PRC-005 (don’t forget to include the basis for your testing AND the intervals — if in doubt, use the ANSI or IEEE standards as your basis)
  • CIP-001 training for your staff (having your staff sign a piece of paper that they may or may not have read isn’t going to cut it, use a real training program)

This is a partial list of what needs to be addressed so that you don’t become a statistic. As I stress to our clients, don’t overlook anything. If in doubt, ask someone who knows what they are doing and preferably someone who has been down the audit path before. Always remember, just because you passed your last audit, doesn’t mean you are going to pass your next one. Stay alert, stay focused and above all, stay calm, it’s not as bad as it seems.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , , , ,

Fact, Fiction or Just Good Old Fashioned Nonsense – EMP Speech From FERC Conference

February 10, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

On February 8, 2011, FERC hosted a conference dealing with the security of the nation’s grid. I really wish I had been there so I could have called a lot of these people on the carpet about the garbage they were spewing forth! One of the “Chicken Little’s” that took time to try and scare people, Avi Schnurr of the Electric Infrastructure Security Council (EISC), gave a doomsday scenario without any language on how to prevent or recover from an EMP event.

If Mr. Schnurr had wanted to add any value to his speech, which by the way, was based on test data from 45-50 years ago, he would have stated that there is a fix for EMP events called a Faraday Shield. Mr. Schnurr could have continued on and told everyone that Faraday Shields are so common that they are used in everyday items such as cell phones, microwave ovens and even LCD televisions. The technology to fix the issue(s) stated by Mr. Schnurr has been around for more than 50 years.

When an individual or company gives you bad scenario after bad scenario of what will, and not what might occur, and not give a single example of a solution of even a hint of a solution, one should ask themselves what is this person’s ulterior motive?

It is solely my opinion that the only purpose Mr. Schnurr served was to scare the power industry into calling on the EISC for assistance — for a hefty fee I am sure. I could be wrong, but I doubt it. I have seen too many “snake oil salesmen” in my time.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Risk Management Tagged With: ,

Skilled Social Engineers Threaten Your Proprietary Data

January 17, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Security Tagged With: , , ,

NERC Compliance Could be Tougher in 2011

December 16, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

As one year winds down, let’s peer ahead to see what compliance “surprises” could come from our friends at NERC in 2011 and beyond.

We all know there are no guarantees that there won’t be any “surprises” next year or beyond. What we, as an industry, do know is that there is going to be a new version of the CIP requirements that will cause most, if not all, registered entities to become a low, medium or high impact critical asset. This change will require registered entities to prepare new policies and procedures as well as implement a series of fail-safes to protect the facility from a physical and/or logical intrusion.

Beyond the revised CIP requirements on tap, there is no telling what the compliance future holds in store for us. This past year there have been multiple NERC Alerts issued that would have affected a majority of the registered entities to some extent.

Then there was AURORA, a big NERC Alert that did affect the current status of many registered entities. As you may know, this alert was issued in October and gave registered entities only a few weeks to respond to NERC.

Next year may have a similar number of Alerts issued, there is no way to determine what may or may not affect you until the Alerts or directives are issued either by your region, NERC or even FERC. One way to stave off any unforeseen expenses, including some of the ones registered entities incurred this year, is to outsource all of your NERC compliance efforts for a fixed fee via a Master Services Agreement (MSA) to either an internal corporate division or to a competent consulting firm. In either case, whomever you outsource your compliance efforts to must be fully adept at both CIP and Reliability Standards. This outsourcing could, in effect, negate any unforeseen expenses for consulting and other initiatives since all NERC Alerts, etc. would be covered.

In addition to helping you prepare for and handle a prospective audit, your consultants should also be responsible for keeping you compliant at all times, filing the appropriate self certifications, self reports, updating all policies and procedures to reflect any changes that may occur and also to address all NERC Alerts and new requirements that affect you.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,
« Older Posts