Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.
Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.
His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.
Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”
It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.
Stay tuned.
Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com
Click here for more information about NERC compliance.
In comments filed last month, the North American Electric Reliability Corporation (NERC) told the National Institute of Standards and Technology (NIST) that it should focus hard on coordination of standards as it works on its Proposed Framework for Smart Grid Interoperability Standards.
NERC simultaneously stressed the differences between the three types of proposed standards: Interoperability Standards, System Security Standards and Reliability Standards – and the ultimate need for streamlined, real coordination between the different standards.
“Although the voluntary Interoperabilty Standards proposed by NIST are designed to achieve a different purpose from the NERC mandatory Reliability Standards, it is critical to the continued reliability of the bulk power system that the two bodies of standards be compatible and complementary,” the Nov. 9th comment noted.
NERC also stressed the importance of cyber security to smart grid technologies and encouraged NIST to integrate adequate cyber security protection, at all levels (device, application, network and system) in the development of its Interoperabilty Standards.
While NERC CIP Reliability Standards provide for the reliable and safe operation of the bulk power system by preventing the unauthorized cyber and physical access to critical assets and critical cyber assets, NERC commented, there is a need to develop additional cyber security protection for distribution facilities in the development of Smart Grid Interoperability Standards to address, for example, security aspects of interoperability at the distribution level.
http://www.nerc.com/files/FinalNERCCommentsNIST_Smart_Grid_Framework_Document.pdf
Click here for more information about NERC Electric Reliability Compliance Solutions
Michael Causey, Editor & Publisher, eDataIntegrityReport.com
If 21 CFR Part 11 had a favorite song, it might be The Beatles “The Long & Winding Road,” though Sheryl Crow’s “Everyday is a Winding Road,” is also a pretty good guess for any DJ hitting the classic rock archives.
We all know the two steps forward, one step (or more) backward path that Part 11 has taken in the past ten-plus years.
Now we’ve got the makings of an interesting parallel in the NERC world.
In testimony [http://www.nerc.com/news_pr.php?npr=359] July 21 before the U.S. House of Representatives’ Committee on Homeland Security hearing on securing the modern electric grid from physical and cyber attacks, NERC VP and Chief Security Officer Michael J. Assante made a valiant, and somewhat successful attempt to articulate NERCs view and expectations for others in the industry subject to its regulation and audits.
As we’ve blogged about before, NERC is confronting some major issues surrounding the very safety of the United States power grid. It’s obviously one of the most important tasks out there for regulators.
And like the FDA when it comes to the importance of Part 11 vis-a-vis the efficacy and integrity of electronic records for medical devices and drugs, NERC needs to do whatever it takes to get this right – from issuing clear guidelines, to enforcing the rules with efficient audits.
And it’s those audits that are of most interest to Sal Lucido, Vice President at AssurX. Sal’s theory is that NERC is setting the bar very high (and a little vague) in testimony and other public pronouncements and documents, but that when it comes down to audits, the agency may well take a more common sense approach. In other words, if the company being audited has an intelligent, well-thought out approach to compliance based on effective risk management, they should be okay.
“NERC’s vagueness works in your favor,” if you can construct and implement your own strong, defensible risk management plan, Sal notes. “The Part 11 guidelines gave us all trouble when the FDA got into nitpicking.”
But AssurX’s Paul Fricke hopes for more clarity from NERC in the coming weeks. Reviewing Assante’s NERC testimony, Paul told us it was “very good, but a few key things could be improved that I think they are missing and has been confirmed in my numerous discussions with electric utility customers as well as consultants – namely the need for well organized, clear, and concise requirements/standards.”
Fricke hopes that NERC gets more input from across the industry. “I understand they can’t ‘give the keys to the bad guys’ by giving them enough information help them get around the safeguards,” Fricke says. But NERC also should not come up with guidelines in a vacuum.
That’s part of what doomed 21 CFR Part 11 to years of delay and its ultimately slowing the adoption of technology it was designed to advance.
As Fricke notes, “Many people are confused (specifically with CIP standards) and NERC are assuming that the industry has the years of experience in drafting procedures to be effective across all these ‘sections’ and” follow the Hippocratic Oath by first doing no harm. “The industry does not have extensive experience in this area,” Paul adds.
Paul adds, “The [current] CIP standards jumble up so many processes and areas of responsibility in each of the existing standards that companies need to create entire sets of processes just to organize what each individual standard demands.”
That said, Paul also sees a lot of positives in how NERC is tackling its admittedly tough tasks.
“The other efforts underway seem very well planned and organized as well as appropriate. They need to bring system/process experts into the plans to help them categorize, clarify, and add clarity to the CIP standards once the key needs are refined, confirmed and other outputs from teams are determined. This will help them (NERC) meet the need for all sectors and more accurately meet the ‘do no harm’ need as well as help utility comply with the full text and intent of the standards.
We’ll keep you posted as this travels its own long and hopefully not too winding road.
The 2009 Annual AssurX Electric Reliability Special Interest Group Meeting was a great success. This year we met in Denver on June 9-10, 2009 and kicked the event off with a networking reception that mixed business and great conversations. During the conference sessions, we discussed the latest product upgrades for CATSWeb ER, which makes it easier to import new and revised NERC Standards and RSAWs.
In our open forum we learned about how everyone is using the product to manage compliance to the NERC Standards and much more. Presentations on CIP Compliance, Compliance Framework and a customer presentation were loaded with important, useful information. I want to thank RRI Energy for a very informative presentation on their NERC compliance process: recurring evidentiary documentation/
gap analysis process.
I also want to thank our customers and partners who participated in this great event. We look forward to the next one!
During the vendor search phase that started approximately a year prior to final selection, PG&E required three basic criteria: Vendor had to have a real product (no vaporware and no custom software), must have sold the product to at least one major utility, and had to have a proven GRC engine. One other criterion was that the system had to be on-premise.
After reducing the vendor count to three, all of them were invited to demonstrate the system using tightly scripted demo requirements created by PG&E. In the end, PG&E said AssurX stood out for several reasons:
- The live demonstration presented by AssurX was “flawless” according to a member on the selection committee
- AssurX scored the highest in the requirements matrix – functionality was at the top of the list
- PG&E was extremely impressed with the whole sales process and support from AssurX – “they were open and honest from day one and they were able to demonstrate exactly what we were looking for”
In fact, the live demonstration of the system went so smoothly that PG&E commented how “deeply impressed” they were. “That looked way too easy,” said one attendee. PG&E will be using the system for compliance, ethics and commitment tracking across the country and for internal auditing, NERC compliance, gas compliance and quality assurance.
Pacific Gas and Electric Company, incorporated in California in 1905, are one of the largest combination natural gas and electric utilities in the United States with approximately 20,000 employees and revenues of almost $15 billion.
Based on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance. We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.
Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments. For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:
- Initiate the review
- Perform the review and document any recommendations for change
- Approve the determination and recommendations
- Implement all approved changes
- Request approval that that changes were implemented and close the review
- Schedule the next review based on the required period
Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.
Michael Causey, Editor & Publisher, eDataIntegrityReport.com
My heartfelt sympathies go out to anyone who has to wade through the new North American Electric Reliability Corporation’s (NERC) new cyber security standards.
Last week (May 6), NERC trumpeted the fact that eight revised cyber security standards for the North American bulk power system were approved by its independent Board of Trustees. That approval wrapped up phase one of NERC’s cyber security standards revision work plan, launched last July. “Work continues on phase two of the revision plan, with version three standards already under development” NERC said in a release that might inspire more fear in the hearts of those who must comply with, but first actually decipher, these regulations.
“I wouldn’t call these huge changes, but I might call them confusing ones,” Paul Fricke, Quality Manager at AssurX, told me recently. “The effective dates are confusing and it’s not clear at all when some of the regulations actually take effect. For example CIP-007-2, Effective Date: The first day of the third calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).
On the plus side, Paul applauds that NERC removed vague and difficult to measure Violation Severity Level elements from the compliance section, e.g. CIP-006-2. On the down side, NERC punted on defining Violation Severity Levels (VSLs), saying they will define them later (CIP-002-2). Until they make those VSLs clear, “utilities will not necessarily know right away what their [potential] risk penalty is, and that’s assuming they’ve been able to define the risk level in the first place.”
But however you slice it, these standards need to be improved to include clear and concise information. The “Sanction Guidelines of the North American Electric Reliability Corporation” in “Appendix A: Base Penalty Amount Table” denotes a matrix of Violation Risk Factor by Violation Severity Level which is used to determine a fine range by the respective axis element. To assist stakeholder’s and users of the standards, it would seem reasonable to clearly define and specify these in the actual FERC approved standard. Instead, these (if defined at all) are referenced for the most part in separate documents (RSAWs, VSL Matrix, VRF Matrix) which may or may not be up to date on the NERC website. It’s time for NERC to step up and specify risk factors and violation severity levels in the NERC standards.
You can begin the search for the standards, effective dates, and your part in all of this here: http://www.nerc.com/filez/standards/Mandatory_Effective_Dates_United_States.html
Here’s a link to the actual news release: http://www.nerc.com/news_pr.php?npr=308
