Last year we blogged about the top 10 FERC enforceable actions for the NERC standards, with PRC-005-1 violations leading the pack. As you can see in the chart below, 8 out of the top 10 violations are CIP related. So, what changed?
According to Trey Kirkpatrick, VP, Energy and Utilities Compliance for AssurX, “With the emergence of the CIP standards into the NERC and Regional Entities CMEP program, registered entities are self-reporting more CIP violations. The entities are finding that documentation of personnel training and system security management continue to be an area for improvement. The registered entities are taking action with proper mitigation plans that are approved by the Regional Entities and NERC. They are also continuing to learn from other areas such as; nuclear power and health sciences how to instill a ‘Culture of Compliance’ in their workforce.”
And, as stated in NERC’s February 2011 Newsletter:
The Department of Energy (DOE) is launching an initiative to enhance cyber security on the electric grid. The initiative, led by the Department¹s Office of Electricity Delivery and Energy Reliability (OE), the National Institute of Standards and Technology (NIST), and the North American Electric Reliability Corporation (NERC), will be an open collaboration with representatives from across the public and private sectors to develop a cybersecurity risk management process guideline for the electric sector.
The Regional Entities and NERC are also performing more on-site audits and spot-checks. They are discovering implementation inconsistencies between entities and are sharing those lessons learned with FERC and the registered entities. NERC has standard teams currently revising the next version of the CIP standards. AssurX will continue to follow these revisions in updates to our readers in future blogs.
The concept of implementing 
The 
Three years ago,