PCS BLOG

The title of this blog is commonly associated with old age and keeping our loved ones safe, but it is also associated with a feeling of helpless and being alone. Many compliance professionals and SMEs that I have spoken with have communicated just that when talking about their daily tasks and experiences. As a team member of Proven Compliance Solutions, I recently attended an industry reliability compliance workshop along with about 400 other eager participants. As I was diligently listening to the featured speaker, I was reminded of a quote that my good friend Brad voiced several years ago while discussing the duties associated with a majority of his compliance activities. Simply stated, he said a lot of what he does is, “Documenting the obvious…” Sitting through presentations can be enlightening and informative, but they can also be a bit wearing as I think of all the people around me listening to a speaker tell them about another new process, method, or formula to mix, measure, and validate their program. I remember some time ago hearing that there would be fewer standards and fewer requirements and that compliance would get easier. That, my friends, is not what I’m seeing out there. If you haven’t explored the Standards Under Development page on the NERC site, you may not be aware of the boat load of activities going on.

I am fortunate in that I work with a group of individuals who live NERC/Regional reliability compliance on a daily basis and we have the opportunity to divide up the responsibilities of tracking and understanding all of the rules and regulations and the constant changes that are associated with keeping up with an Industry that is responsible for the security and reliability of the BES. We attend regional meetings and webinars, participate in various committees, read everything we can get our hands on, and track standards under development, committee activities, and reliability compliance activities in each Region, at NERC, and at FERC to keep our clients informed and on top of their programs. Our client reports are customized to each entity’s NERC registered functions, current and standards under development that are applicable to their functions and operations, activities related to regional standards, recent webinars and meetings, and any other associated information. For each of the standards addressed in our tracking matrices, our PCS experts provide information relevant to our client’s operations and offer opinions and specific action items related to their reliability compliance program.

Gathering this information can seem like a monumental task, but the process of doing so keeps us informed to the highest degree possible and it also keeps us on our toes!! So many times I have talked with individuals trying to manage their programs who are exhausted and overwhelmed. It is not uncommon that reliability compliance is just a portion of their jobs. I definitely understand their situation and see their need for a team of individuals like PCS to help them out. That’s what we’re here for and what we love to do! So, if you’re reading this and want to find out what we can do to make your job easier, I hope you’ll get in touch with us to find out more.

Many of you are dealing with the complexities of NERC CIP compliance and not knowing which version will be applicable next, Version 4 or Version 5, can contribute to the added strain.  Planning programs, updating processes and procedures, and estimating budgets is just the start. One of the many aspects of the consulting arena is to keep up with the industry on this topic and all others surrounding reliability compliance, and PCS is doing just that.  Our CIP experts are plugged into the CIP world in many ways, including membership on the NERC Critical Infrastructure Protection Committee (CIPC), NERC Cyber Security Standards Education Team, and the NERC Compliance and Enforcement Input Working Group.  Through their participation and involvement with these groups, as well as other resources, PCS is able to stay abreast of the ever-changing world of NERC CIP compliance and we’re here to help you through the changes.

As you may be aware, on August 12, 2013, FERC issued an Order granting a six-month extension of the compliance deadline for the Version 4 CIP Reliability Standards, from April 1, 2014 to October 1, 2014.  FERC agreed that an extension of time for compliance with the Version 4 CIP Reliability Standards is warranted in order to allow responsible entities to more efficiently utilize resources to transition directly from the currently-effective Version 3 CIP Reliability Standards should the Commission adopt its proposal to approve the Version 5 CIP Reliability Standards.  FERC also indicated in its Order that a six-month extension is consistent with the NOPR proposal regarding implementation of the proposed Version 5 Reliability Standards (i.e., transition from the Version 3 CIP Reliability Standards directly to the Version 5 CIP Reliability Standards).  If this does happen, it’s great news for everyone and entities will be able to move on…

If you'd like to read the FERC Order, this link will take you directly to a PDF of the document:    http://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=13326415

As always, PCS is here to help. Don’t hesitate to give us a call!

“Subject Matter Experts Hold the Key”

Internal Audit Teams, whether full time staff or an assembly of department managers, are a luxury seldom afforded to NERC compliance groups, except in larger companies where these same teams may be used for all sorts of corporate audit preparations including Financial, EPA, SAS 70 & SOX, etc. These same Internal Audit Teams are being given the task of reviewing their Entity’s compliance program prior to a NERC Regional Audit, as well as preparing their Subject Matter Experts (SMEs) for interviews during the audit. Typically, this preparation is usually focused on “What Not to Say.” Considering this, what expertise is actually being applied that reflects the way Regions are auditing NERC compliance these days?

Questions to consider regarding your Internal Audit Team:

  • What has their exposure been to Regional NERC Compliance Audits?
  • Do they have sufficient Operations, Engineering, or NERC program management backgrounds to understand the SMEs' or Operators’ roles with respect to each of the standards?
  • Can they be certain the evidence that they are reviewing is the proper evidence required to achieve compliance?
  • Have they attended the Regional meetings, been apprised of lessons learned and auditor findings, or kept up to speed on RSAWs, CANs, etc?

TODAY: In every Region, Audit emphasis is shifting from having procedures and policies in place that regurgitate and deliver responses to standards and requirements to an Auditor’s focus on “Verifying Reliability.” Stated differently…. “Having documentation that meets the standards DOES NOT necessarily mean you operate reliably.” The approach of the Regions is focusing more and more on the SMEs and whether or not they understand and actually operate to those company policies and procedures, and can agree with and substantiate the evidence used in support of compliance. Often heard from the SME during our reviews – "That's our procedure, but this is how we actually operate.”

PCS believes SME training and development, both between audit periods and prior to the actual audit is a key to reliability and audit success. Our team’s decades of actual experience in the generation, transmission, marketing, control systems, physical/cyber security, compliance management, industry committee participation, and leadership are what set us apart and enable excellent peer interaction to take place while SME development and preparations are delivered.

Contact Proven Compliance Solutions today to find out how the PCS Team can help your organization with SME Training and Audit Preparedness and any other NERC and regional compliance needs.

Under NERC Critical Infrastructure Protection Reliability Standards CIP-005-3 Requirement 4 and CIP-007-3 Requirement 8, entities must perform an annual Cyber Vulnerability Assessment (CVA). The language is very specific with regard to the criteria to be fulfilled, yet the process can still be overwhelming and not always completely clear as to how much information is sufficient for an effective evaluation.

It’s important to understand what is required and conversely what is not.   To firm up our understanding, let’s discuss what the CVA is not.

As quoted in the May 2012 CIP-005 Compliance Analysis Report, “Entities should be aware that the cyber vulnerability assessment required by CIP-005-3 R4 is not the same cyber vulnerability assessment that is usually recognized by the security industry. Entities should note that “traditional” cyber vulnerability assessments with a tool such as Nessus or any of the commercial vulnerability scanners will probably not alone yield results an audit team can accept.”[1]  Also of great importance is that the CVA does not allow for sampling – each identified cyber asset must be evaluated individually.

So what does the CVA entail?

CIP-005-3 R4 requires five things of the cyber vulnerability assessment: 1) documentation of the cyber vulnerability assessment process, 2) ports and services review, 3) ESP access point discovery, 4) a review of default account controls, passwords and SNMP strings, and 5) documentation of results including mitigation plans.

CIP-007-3 R8 requires documentation of the cyber vulnerability assessment process, a ports and services review, review of controls for default accounts and documentation of results including mitigation plans.

So you grab your latest documentation, all your latest CVA procedures, the info from your last CVA, review it all and then…now what?

Get ready to ask yourself some tough questions…

  • How are you planning to gather cyber asset data for this year’s CVA?
  • How do you know if your CVA process and evidence from the last CVA is sufficient?
  • Is your baseline documentation up to date and in sync with your change control process?
  • Are you using internal staff or considering outsourcing the CVA?

Straightforward enough; or so it would seem, but the more cyber assets you have, the greater the amount of data. Many hours of work lie ahead, for certain, in any case.

And yet more questions…

  • What do you do if you discover items that are different from what is documented and approved as a result of the CVA process?
  • How do you prioritize any necessary remediation efforts based on the discovery process?
  • What if you find that processes are broken and producing unexpected/undesirable results?
  • How do you report and present the CVA results effectively?

Outsourcing an annual CVA can be a great value to your organization to help you validate your processes and procedures, evaluate your methods, and help identify and gain efficiencies for future CVAs. For answers to your questions regarding your annual CVA process and to see how PCS can help you with your next CIP-005-3 and CIP-007-3 CVA, please contact us to find out more.



[1] ERO Compliance Analysis Report – CIP-005 – May 2012, page 23

As most of you know, on March 15, 2012, FERC conditionally approved NERC’s petition that establishes new enforcement mechanisms for handling possible violations of the NERC and Regional Reliability Standards. We’ve already become familiar with the new term “FFT” which is short for this new Find, Fix, Track, and Report process.

As compliance professionals working with numerous entities throughout the various regions within NERC’s footprint, PCS was quite pleased to see that both NERC and FERC realize the importance of delineating between actual threats to the bulk-power system and what we might characterize as common paperwork errors. Personally, this new FERC Order helps me to appreciate the hard work and effort that has been put forth to help streamline the process associated with possible violations of the Reliability Standards. NERC and FERC’s awareness of limited resources and backlog, and their desire to establish a streamlined process is a positive sign that the industry is being heard. Mind you, this doesn’t lessen the need to monitor and document compliance, but it does ease the burden and tension associated with those lower risk requirements, in that a simple mistake may not cost an entity a monetary penalty or the multitude of hours and possible legal fees to address the matter.

Many colleagues I know have asked a simple question, “Are our efforts really ensuring the reliability of the North American bulk power system?” This Order is definitely a step in the right direction, and what I believe to be a huge stepping stone to answering that question.

If you haven’t had a chance to read the FERC Order, below is a summary of the major points. If you’d like to read the full Order, this link will take you to the document: http://www.ferc.gov/whats-new/comm-meet/2012/031512/E-3.pdf.

NERC’s New Enforcement Mechanism for Reliability Standards – FFT Process

  • Conditionally Approved by FERC
    Docket No. RC11-6-000, et al.
  • Order Accepting with Conditions the Electric Reliability Organization’s Petition Requesting Approval of New Enforcement Mechanisms and Requiring Compliance
    Issued March 15, 2012

Find, Fix, Track, and Report

  • Streamlines the enforcement process for specified possible violations of NERC Reliability Standards.
  • Conserves enforcement resources for more serious threats to the bulk-power system.

NERC proposed a three-track process to address possible violations of the Reliability Standards

Track 1 – maintains the current practice of NERC issuing findings of violation and filing a Notice of Penalty with FERC for those deemed as significant reliability violations.

Track 2 – NERC would submit to FERC a monthly spreadsheet of those deemed “lesser risk” possible violations.

  • For each possible violation, the spreadsheet will detail the remediation measures certified by the registered entity, but no penalties would be assessed and no formal mitigation plans would be required.

Track 3 – NERC proposed to dismiss possible violations for which it was determined that no violation of a reliability standard actually occurred.

In each case, NERC or the Regional Entities would determine which track is appropriate by examining several factors, including:

  • the principal facts and circumstances;
  • the applicable Violation Risk Factor and Violation Severity Level;
  • the potential and actual level of risk to reliability; and
  • the registered entity’s compliance program and compliance history.

FERC’s Conditions

FERC approved NERC’s FFT proposal, with a small number of conditions that limits the range of violations eligible for the FFT process.

In particular, FERC required the NERC risk assessment process to:

  • Exclude possible violations posing a moderate, significant, or substantial risk to the BPS;
  • assess the potential risk to the BPS, instead of actual risk after-the-fact;
  • ensure that the circumstances as a whole indicate only a minimal risk to the BPS;
  • base risk assessments on facts, not assumptions;
  • ensure that possible violations that reveal the registered entity has serious shortcoming in its reliability process will not be eligible for FFT;
  • clarify that a registered entity’s failure to resolve a possible violation that is included in an FFT filing will then be considered a possible violation that is not eligible for the FFT process.

Additional Conditions

  • FERC also required that NERC publicly disclose the registered entities identity in FFT filings, except for those associated with cyber security incidents or transmission security reasons.
  • FERC granted NERC’s request to consider a FFT matter closed 60 days after the filing, unless FERC orders otherwise.
  • FERC indicated that it will only conduct reviews of FFT filings in limited and rare circumstances, and that all FFT filings submitted to date are approved.
  • FERC also directed NERC to submit by May 14, 2012, a compliance filing to clarify how it will apply each of the aspects mentioned when making FFT determinations, including:
  1. how NERC and the Regional Entities will evaluate a registered entity’s compliance history;
  2. how NERC and the Regional Entity’s compliance workforce will be trained in resolving violations that do not result in a Notice of Penalty; and
  3. how NERC will ensure consistency in the reliability enforcement decisions across Regional Entities.

 

Are you looking for help with your compliance program? Proven Compliance Solutions can provide that help, customized to meet your compliance needs. PCS was founded by a team of professionals with extensive and diverse electric utility experience, who are passionate about helping entities manage the ever-increasing burden of NERC/Regional compliance. PCS staff members have earned industry respect for delivering excellence in compliance support, assessment, mock audits/gap analysis, documentation and ICP development, implementation, and management. Contact us today!

Our Services