PCS BLOG

Many of you are dealing with the complexities of NERC CIP compliance and not knowing which version will be applicable next, Version 4 or Version 5, can contribute to the added strain.  Planning programs, updating processes and procedures, and estimating budgets is just the start. One of the many aspects of the consulting arena is to keep up with the industry on this topic and all others surrounding reliability compliance, and PCS is doing just that.  Our CIP experts are plugged into the CIP world in many ways, including membership on the NERC Critical Infrastructure Protection Committee (CIPC), NERC Cyber Security Standards Education Team, and the NERC Compliance and Enforcement Input Working Group.  Through their participation and involvement with these groups, as well as other resources, PCS is able to stay abreast of the ever-changing world of NERC CIP compliance and we’re here to help you through the changes.

As you may be aware, on August 12, 2013, FERC issued an Order granting a six-month extension of the compliance deadline for the Version 4 CIP Reliability Standards, from April 1, 2014 to October 1, 2014.  FERC agreed that an extension of time for compliance with the Version 4 CIP Reliability Standards is warranted in order to allow responsible entities to more efficiently utilize resources to transition directly from the currently-effective Version 3 CIP Reliability Standards should the Commission adopt its proposal to approve the Version 5 CIP Reliability Standards.  FERC also indicated in its Order that a six-month extension is consistent with the NOPR proposal regarding implementation of the proposed Version 5 Reliability Standards (i.e., transition from the Version 3 CIP Reliability Standards directly to the Version 5 CIP Reliability Standards).  If this does happen, it’s great news for everyone and entities will be able to move on…

If you'd like to read the FERC Order, this link will take you directly to a PDF of the document:    http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=13326415

As always, PCS is here to help. Don’t hesitate to give us a call!

Under NERC Critical Infrastructure Protection Reliability Standards CIP-005-3 Requirement 4 and CIP-007-3 Requirement 8, entities must perform an annual Cyber Vulnerability Assessment (CVA). The language is very specific with regard to the criteria to be fulfilled, yet the process can still be overwhelming and not always completely clear as to how much information is sufficient for an effective evaluation.

It’s important to understand what is required and conversely what is not.   To firm up our understanding, let’s discuss what the CVA is not.

As quoted in the May 2012 CIP-005 Compliance Analysis Report, “Entities should be aware that the cyber vulnerability assessment required by CIP-005-3 R4 is not the same cyber vulnerability assessment that is usually recognized by the security industry. Entities should note that “traditional” cyber vulnerability assessments with a tool such as Nessus or any of the commercial vulnerability scanners will probably not alone yield results an audit team can accept.”[1]  Also of great importance is that the CVA does not allow for sampling – each identified cyber asset must be evaluated individually.

So what does the CVA entail?

CIP-005-3 R4 requires five things of the cyber vulnerability assessment: 1) documentation of the cyber vulnerability assessment process, 2) ports and services review, 3) ESP access point discovery, 4) a review of default account controls, passwords and SNMP strings, and 5) documentation of results including mitigation plans.

CIP-007-3 R8 requires documentation of the cyber vulnerability assessment process, a ports and services review, review of controls for default accounts and documentation of results including mitigation plans.

So you grab your latest documentation, all your latest CVA procedures, the info from your last CVA, review it all and then…now what?

Get ready to ask yourself some tough questions…

  • How are you planning to gather cyber asset data for this year’s CVA?
  • How do you know if your CVA process and evidence from the last CVA is sufficient?
  • Is your baseline documentation up to date and in sync with your change control process?
  • Are you using internal staff or considering outsourcing the CVA?

Straightforward enough; or so it would seem, but the more cyber assets you have, the greater the amount of data. Many hours of work lie ahead, for certain, in any case.

And yet more questions…

  • What do you do if you discover items that are different from what is documented and approved as a result of the CVA process?
  • How do you prioritize any necessary remediation efforts based on the discovery process?
  • What if you find that processes are broken and producing unexpected/undesirable results?
  • How do you report and present the CVA results effectively?

Outsourcing an annual CVA can be a great value to your organization to help you validate your processes and procedures, evaluate your methods, and help identify and gain efficiencies for future CVAs. For answers to your questions regarding your annual CVA process and to see how PCS can help you with your next CIP-005-3 and CIP-007-3 CVA, please contact us to find out more.



[1] ERO Compliance Analysis Report – CIP-005 – May 2012, page 23

As most of you know, on March 15, 2012, FERC conditionally approved NERC’s petition that establishes new enforcement mechanisms for handling possible violations of the NERC and Regional Reliability Standards. We’ve already become familiar with the new term “FFT” which is short for this new Find, Fix, Track, and Report process.

As compliance professionals working with numerous entities throughout the various regions within NERC’s footprint, PCS was quite pleased to see that both NERC and FERC realize the importance of delineating between actual threats to the bulk-power system and what we might characterize as common paperwork errors. Personally, this new FERC Order helps me to appreciate the hard work and effort that has been put forth to help streamline the process associated with possible violations of the Reliability Standards. NERC and FERC’s awareness of limited resources and backlog, and their desire to establish a streamlined process is a positive sign that the industry is being heard. Mind you, this doesn’t lessen the need to monitor and document compliance, but it does ease the burden and tension associated with those lower risk requirements, in that a simple mistake may not cost an entity a monetary penalty or the multitude of hours and possible legal fees to address the matter.

Many colleagues I know have asked a simple question, “Are our efforts really ensuring the reliability of the North American bulk power system?” This Order is definitely a step in the right direction, and what I believe to be a huge stepping stone to answering that question.

If you haven’t had a chance to read the FERC Order, below is a summary of the major points. If you’d like to read the full Order, this link will take you to the document: http://www.ferc.gov/whats-new/comm-meet/2012/031512/E-3.pdf.

NERC’s New Enforcement Mechanism for Reliability Standards – FFT Process

  • Conditionally Approved by FERC
    Docket No. RC11-6-000, et al.
  • Order Accepting with Conditions the Electric Reliability Organization’s Petition Requesting Approval of New Enforcement Mechanisms and Requiring Compliance
    Issued March 15, 2012

Find, Fix, Track, and Report

  • Streamlines the enforcement process for specified possible violations of NERC Reliability Standards.
  • Conserves enforcement resources for more serious threats to the bulk-power system.

NERC proposed a three-track process to address possible violations of the Reliability Standards

Track 1 – maintains the current practice of NERC issuing findings of violation and filing a Notice of Penalty with FERC for those deemed as significant reliability violations.

Track 2 – NERC would submit to FERC a monthly spreadsheet of those deemed “lesser risk” possible violations.

  • For each possible violation, the spreadsheet will detail the remediation measures certified by the registered entity, but no penalties would be assessed and no formal mitigation plans would be required.

Track 3 – NERC proposed to dismiss possible violations for which it was determined that no violation of a reliability standard actually occurred.

In each case, NERC or the Regional Entities would determine which track is appropriate by examining several factors, including:

  • the principal facts and circumstances;
  • the applicable Violation Risk Factor and Violation Severity Level;
  • the potential and actual level of risk to reliability; and
  • the registered entity’s compliance program and compliance history.

FERC’s Conditions

FERC approved NERC’s FFT proposal, with a small number of conditions that limits the range of violations eligible for the FFT process.

In particular, FERC required the NERC risk assessment process to:

  • Exclude possible violations posing a moderate, significant, or substantial risk to the BPS;
  • assess the potential risk to the BPS, instead of actual risk after-the-fact;
  • ensure that the circumstances as a whole indicate only a minimal risk to the BPS;
  • base risk assessments on facts, not assumptions;
  • ensure that possible violations that reveal the registered entity has serious shortcoming in its reliability process will not be eligible for FFT;
  • clarify that a registered entity’s failure to resolve a possible violation that is included in an FFT filing will then be considered a possible violation that is not eligible for the FFT process.

Additional Conditions

  • FERC also required that NERC publicly disclose the registered entities identity in FFT filings, except for those associated with cyber security incidents or transmission security reasons.
  • FERC granted NERC’s request to consider a FFT matter closed 60 days after the filing, unless FERC orders otherwise.
  • FERC indicated that it will only conduct reviews of FFT filings in limited and rare circumstances, and that all FFT filings submitted to date are approved.
  • FERC also directed NERC to submit by May 14, 2012, a compliance filing to clarify how it will apply each of the aspects mentioned when making FFT determinations, including:
  1. how NERC and the Regional Entities will evaluate a registered entity’s compliance history;
  2. how NERC and the Regional Entity’s compliance workforce will be trained in resolving violations that do not result in a Notice of Penalty; and
  3. how NERC will ensure consistency in the reliability enforcement decisions across Regional Entities.

 

Are you looking for help with your compliance program? Proven Compliance Solutions can provide that help, customized to meet your compliance needs. PCS was founded by a team of professionals with extensive and diverse electric utility experience, who are passionate about helping entities manage the ever-increasing burden of NERC/Regional compliance. PCS staff members have earned industry respect for delivering excellence in compliance support, assessment, mock audits/gap analysis, documentation and ICP development, implementation, and management. Contact us today!

“Subject Matter Experts Hold the Key”

Internal Audit Teams, whether full time staff or an assembly of department managers, are a luxury seldom afforded to NERC compliance groups, except in larger companies where these same teams may be used for all sorts of corporate audit preparations including Financial, EPA, SAS 70 & SOX, etc. These same Internal Audit Teams are being given the task of reviewing their Entity’s compliance program prior to a NERC Regional Audit, as well as preparing their Subject Matter Experts (SMEs) for interviews during the audit. Typically, this preparation is usually focused on “What Not to Say.” Considering this, what expertise is actually being applied that reflects the way Regions are auditing NERC compliance these days?

Questions to consider regarding your Internal Audit Team:

  • What has their exposure been to Regional NERC Compliance Audits?
  • Do they have sufficient Operations, Engineering, or NERC program management backgrounds to understand the SMEs' or Operators’ roles with respect to each of the standards?
  • Can they be certain the evidence that they are reviewing is the proper evidence required to achieve compliance?
  • Have they attended the Regional meetings, been apprised of lessons learned and auditor findings, or kept up to speed on RSAWs, CANs, etc?

TODAY: In every Region, Audit emphasis is shifting from having procedures and policies in place that regurgitate and deliver responses to standards and requirements to an Auditor’s focus on “Verifying Reliability.” Stated differently…. “Having documentation that meets the standards DOES NOT necessarily mean you operate reliably.” The approach of the Regions is focusing more and more on the SMEs and whether or not they understand and actually operate to those company policies and procedures, and can agree with and substantiate the evidence used in support of compliance. Often heard from the SME during our reviews – "That's our procedure, but this is how we actually operate.”

PCS believes SME training and development, both between audit periods and prior to the actual audit is a key to reliability and audit success. Our team’s decades of actual experience in the generation, transmission, marketing, control systems, physical/cyber security, compliance management, industry committee participation, and leadership are what set us apart and enable excellent peer interaction to take place while SME development and preparations are delivered.

Contact Proven Compliance Solutions today to find out how the PCS Team can help your organization with SME Training and Audit Preparedness and any other NERC and regional compliance needs.

Having been on all three sides of preparing for a NERC / Regional audit (while employed by TVA, working for NERC, and finally working at PCS), it is my opinion that the typical utility NERC Coordinator or manager has a HUGE job ahead of them.  PCS has worked with large utilities as well as fairly small, limited scope entities (such as a GO/GOP or DP/LSE), and regardless of the size, the job of coordinating all the required responses and submittals can be at best daunting.  There are three or four roles that the utility coordinator must play, and play well for an audit to be successfully completed in such a manner as to not interfere from the real business of generating, transmitting, and distributing electric power.  These consist of coaching skills, judgment skills, logistics skills, and in some instances, expert skills for any or all Reliability Standards.  The following is a synopsis of some of these activities (and no, this is not intended as an exhaustive list).

For instance, it is not an unusual circumstance that the coordinator is also the Head Coach for the utility Subject Matter Experts (SMEs), both in preparing data and RSAW responses as well as in preparing for interviews and responding to onsite (high pressure) questions.  For many, it is their ability to do this very critical job that has landed them with this role in the first place!  During an onsite event (and even some offsite audits), the coach often has to help the SME deal with the stress of being selected to sit in the ‘hot seat’ of the audit – whether as an interviewee or just to clarify questions.  These guys and gals are prepared and called upon to make quick decisions regarding system reliability (“up to and including the shedding of firm load”), and often are not equally prepared for the intense scrutiny of the auditor.

The coordinator is also the Internal Judge, in many cases, as to whether the evidence prepared by the SME is sufficient to satisfy compliance without leading the auditor to ‘other areas’ for discussion.  A good friend of mine referred to inadequate data and vague answers as ‘chum’ for the auditor – they can smell it miles away and are always attracted to what they may find.  Dinner, perhaps?   The coordinator also must try to make sure the evidence presented does not throw a fellow SME or neighboring utility ‘under the bus’.  Finding that right mixture of positivity and data can be a challenge, particularly where a lot of job evolutions take place.  (How many phone conversations does your operator take place in each day that could be called into evidence?)

Another role that frequently comes into play is that of Master Logistician.  Logistics of where the audit team lodges during the event and what they are fed.  Logistics of how many meeting rooms and when they are needed.  (We know of one instance where the utility, with limited resources in this area, actually rented a portable classroom for a Regional audit event.)  And most importantly, keeping track of the SMEs and ensuring their availability at all reasonable hours to help the audit team understand the entity submittals and face test questions.

Smaller entities will understand that often the coordinator is also the de facto Subject Matter Expert for many or even all of the applicable Reliability Standards.  Many companies, in their drive toward competitiveness, rely heavily on the coordinator to also provide all needed input to the audit team during the audit event, whether on- or off-site, crafting all RSAW responses and gathering all evidence.  This makes the ‘one bus wonder’ a reality – what are the consequences of this person getting waylaid for any reason?  Can anyone step in and fill those shoes?

PCS offers a ‘hats off’ to these utility coordinators, regardless of their title – most of us have been in your position at one time or another.  We know the long hours, protracted discussions, head scratching from ‘interesting’ audit questions, and just the plain old stress that comes with your job.  It is always our desire to lessen the burdens on any of our clients, and we pay particular attention to the coordinator in all of their duties.  Their role is so very crucial, providing often the first impression of their company to the audit team – meeting them in the lobby and showing them to the first session.  If you haven’t done so, we suggest you engage your audit coordinator and offer your assistance.  You would be amazed how much goodwill and boosted moral that simple act will produce.

Keep up the Good Fight!

Our Services