PCS BLOG

If the Enforcement Actions haven’t gotten your attention yet, they certainly should be. To date, over $41.5 million in penalties have been assessed to NERC Registered Entities.

According to NERC, their statistics indicate there are over 3,300 active possible compliance issues still in process and over 200 coming in each month.

In an effort to reduce workload, in 2010 NERC introduced the Administrative Citation, which was an abbreviated route to move potential violations through the process. Although this helped, it was not making a big enough dent in NERC’s backlog.

On September 30, 2011, NERC filed a petition with FERC (RC11-6-000) requesting approval of a new enforcement mechanism for dealing with possible violations that pose a lesser risk to the BPS. This filing also gave us our latest acronym in the reliability compliance world, the “FFT.” The 90-page filing, titled Petition Requesting Approval of New Enforcement Mechanisms and Submittal of Initial Informational Filing Regarding NERC’s Efforts to Refocus Implementation of Its Compliance Monitoring and Enforcement Program, describes NERC’s decision to shift how it deals with lesser risk issues. Possible violations in this lesser risk category that have been corrected will be presented as Remediated Issues in a Find, Fix, Track and Report (FFT) spreadsheet format that will be submitted to FERC in an informational filing on a monthly basis. The filing also indicates that more serious risk violations will be submitted to FERC in a new Spreadsheet Notice of Penalty (NOP) or Full NOP, as warranted. So, commencing with this filing, NERC will have three tracks for dealing with possible compliance matters: NOPs, FFTs, and dismissals.

To date, issues proposed for the FFT mechanism do not carry a penalty, unlike the Administrative Citations or Violations that can be issued a zero ($0) penalty. Keep in mind, though, that FFTs will be put on a Registered Entity’s record for tracking of future violations.

You might be thinking, “How do we know if this is going to make a difference?” NERC has committed to reporting back to the Commission and industry stakeholders at six months and one year following its initial filing on experience gained and the results from implementation of the new mechanisms and tools. Let’s hope that FERC approves this petition. It seems to be reasonable and will allow NERC and the Regions to focus on the more serious violations going forward.

That’s what it’s all about – increasing reliability!

The NERC CIP Standards Drafting Team recently presented a webinar to the industry on the current status of the CIP Version 5 Standards.  While there are many changes from the current version of the CIP Standards and what was presented at the last Drafting Team workshop, we will focus in this post on the concept of ‘impact status’ and the potential effects on Asset Owners.  It is important to note that the industry is a long way from final FERC approval for CIP Version 5, so some of these criteria may change before impacting Responsible Entities.

With the approval of CIP-002 Version 4, Responsible Entities will no longer provide their own criteria to categorize assets as Critical or non-critical.  Instead, NERC has provided a “bright line” set of criteria that must be used to determine criticality.  CIP-002 Version 5 builds on this concept with additional granularity and assigns assets compliance efforts and requirements based on the asset’s potential impact on the Bulk Electric System (BES).

High Impact – The focus for this category of assets is on large control centers and the possible widespread impact they could have on the BES.  Asset owners with large control center assets will have to conform to all of the CIP-002 through CIP-011 Standards and will have additional requirements specific to the additional risk they present to the BES (mostly related to remote access).  Control Center and Backup Control Center Assets are currently proposed to be High Impact if they meet any of the following criteria:

  • Reliability Coordinator function
  • Balancing Authority function (if it manages at least one medium impact Critical Asset)
  • Transmission Operator function that controls at least one medium impact Critical Asset
  • Control generation equal to or exceeding 1500 MW in a single Interconnection

The vast majority of these assets are already characterized as Critical Assets, so the additional burden of the CIP Version 5 changes should be minimal.  Most asset owners can afford to wait until Version 5 is approved by FERC before beginning to plan for required changes.

Medium Impact – The focus for this category of assets is on all of the other systems that would be captured under the NERC BOT approved CIP-002 Version 4 criteria (including smaller control centers).  Asset owners with assets that meet these criteria will have to conform to all of the CIP-002 through CIP-011 Standards, with the exception of the additional High Impact Control Center requirements.  While the entire list of criteria to apply is too long to repeat here, examples include (paraphrased for brevity):

  • Groups of generating units at a single plant location exceeding 1500 MW in a single Interconnection
  • Blackstart Resources identified in the TO’s restoration plan
  • Transmission Facilities operated at 500 kV or higher
  • Transmission Facilities operated at 300 kV or higher with stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations
  • Transmission Facilities that provide interconnections to Medium Impact generation facilities.

Many of these assets are already characterized by their owners as Critical Assets, so the additional burden of the CIP Version 5 Standards for these assets should be minimal.  Asset owners who do not have an existing CIP compliance program in place and will be declaring new Critical Assets under Version 4 should begin planning and budgeting now for the difficult and time-consuming creation of a CIP compliance program.  Assets owners who already have Critical Assets under CIP Version 3 with an existing CIP compliance program will have less effort in preparing any new assets for compliance, but must also plan on a shorter implementation schedule.

Low Impact – This category will capture all other BES cyber systems below the Version 4 criteria.  Low impact assets will be required to have the following:

  • Security Policy
  • Security Awareness
  • Incident Response
  • Boundary Protection

The CIP Standards Drafting Team is proposing a fairly long Version 5 implementation timeline for low impact assets; however, Responsible Entities with a large number of assets in this category should already be thinking about an enterprise-wide set of policies and practices around the proposed topics listed above.  NERC will be expecting Responsible Entities with low impact assets to not only have their policies in place by the compliance deadline, but to also have operationally implemented these policies across all of their qualifying assets.  This could potentially be a very time-consuming project for Responsible Entities with a large number of assets.

Mr. Gerry Cauley, President & CEO of NERC, explained at a November 18, 2010 FERC technical conference that there were over 3,000 violations pending and an average of 30 new violations coming in each week.

On February 1, 2011, NERC filed a new form of Notice of Penalty with FERC to help expedite the backlog of alleged violations of the mandatory electric Reliability Standards.  This process, as NERC describes it, will be like receiving a ‘parking ticket.’  Violations of minimal risk to the bulk-power system will be included in this process.

Hopefully, this will help with the tremendous backlog and clear up some questions entities have regarding their compliance.

If you have not already seen, many new Enforcement Actions were posted on the NERC Website on January 31, 2011. To view the files, go to http://www.nerc.com/filez/enforcement/index.html.

You may have heard the phrase, “It’s better to have it and not need it, than need it and not have it.”  Certainly, if you’ve ever filed an insurance claim, and assuming your coverage was sufficient, you were probably very glad to have that coverage to take care of the cost of repairs, replacement, and perhaps offset any liability.  Think about all the commercials and advertisements you’ve seen for services that offer personal protection against identity theft.  This is yet another type of insurance.  One that is designed to protect you from online data theft and misappropriation.

Considering the imperfect world we live in, where there are no guarantees, and with computer networks being vulnerable to both external and internal compromises, the potential cost of dealing with a security breach and its subsequent cleanup can be incredibly high.  In fact, according to research by the Computer Security Institute, they assert that on average a company loses $234,000 for each security breach that occurs.

Generally speaking, standard property and general business liability insurances do not properly address the issues or damaging results that occur from a cyber attack on your network infrastructure.  Enter what is called “specialized cyber-risk coverage.”

The goal of an insurance policy that addresses cyber security exposure is to transfer that risk from your company to an insurance company.  That seems quite obvious.  Insurance carriers may offer discounts and other incentives for your diligence in protecting your network (think good student discount).  The other positive benefit is that it raises awareness around security measures that can help protect your company.  So in brief, let’s examine the types of coverage that can be obtained.  The following information was acquired directly from the Insurance Information Institute (www.iii.org) website and does an excellent job of explaining the different types of available coverage.

  • Loss/Corruption of Data – covers damage to or destruction of valuable information assets as a result of viruses, malicious code, and Trojan horses.

  • Business Interruption – covers loss of business income as a result of an attack on a company's network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expense, forensic expenses, and dependent business interruption.

  • Liability – covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:

o   Breach of privacy due to theft of data (such as credit cards, financial, or health related data);

o   Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties;

o   Failure of security which causes network systems to be unavailable to third parties,

o   Rendering of Internet Professional Services; and

o   Allegations of copyright or trademark infringement, libel, slander, defamation or other "media" activities in the company's website.

  • Cyber Extortion – covers the "settlement" of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.

  • Public Relations – covers those public relations costs associated with a cyber attack and restoring of public confidence.

  • Criminal Rewards – covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of the cyber-criminal who attacked the company's computer systems.

  • Cyber-Terrorism – covers those terrorist acts covered by the Terrorism Risk Insurance Act of 2002 and, in some cases, may be further extended to terrorist acts beyond those contemplated in the Act.

  • Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

Premiums will vary based on the size of your organization, and it may be worth taking a look at as the number of vulnerabilities and their potential for damaging impact continues to rise.  In this day and age, it has become more of a matter of when than a matter of if your organization will suffer a breach of some type.  It’s always best to be prepared and informed when it comes to risk management.

Data breaches and information leaks are all over the headlines and as they garner more and more attention, it’s certainly not the kind of publicity any company is looking to receive.  From banking to healthcare, data in the wrong hands can be detrimental to the individuals affected by the breach, and potentially damaging to the breached entity and possibly even worse.  Equally as important as limiting who has access to your critical and sensitive information as specified in CIP-003 R5, is controlling how that data is stored and secured.

In today’s world of data accessibility and portability, it should come as little surprise that so many data leaks occur.  With the ease of copying files to a USB or other portable media device and taking them anywhere without any detection, the question begs: “How can I protect my most sensitive information AND protect the access to all of my critical data that I’ve worked so hard to categorize in my CIP-003 R4 Information Protection Program?”  That’s where data encryption comes into focus.

As a point of reference, encryption, as defined within the greater realm of cryptography, can be described as applying a process (algorithm) to alter information (plaintext data) to render that data unreadable (cipher) for everyone except those who have specific knowledge (key).  The goal of encryption is ultimately to maintain the confidentiality of your confidential data, whether in transit, either across disparate networks (internet/e-mail), or information at rest (internal file servers, laptops, thumb drives).  There are many ways to accomplish this task, and while we won’t get into specific details of any one solution or technological approach here, an excellent reference and source of knowledge on the technical details listed as the Cryptographic Toolkit can be found on the NIST (National Institute of Standards and Technology) website at http://csrc.nist.gov/groups/ST/toolkit/index.html.

Adopting and implementing an encryption technology approach has been criticized as being very complicated to implement and maintain, as well as caring a high price tag.  What many companies should weigh against complexity of implementation are the consequences of having their sensitive information compromised, including but not limited to industry reputation damage, fiscal loss, shareholder confidence loss, and all negative publicity associated with this unwanted attention.

Your data and it’s protection are just one of the essential pieces to maintaining a successful Internal Compliance Program and should always be considered within the scope of your all encompassing efforts.

Our Services