By: Sean Sherman
I’m just returning from the Platt NERC Compliance Conference that was held in Houston, TX this week. There is a re-occurring complaint from some folks that vendors are selling “silver bullets” for NERC compliance; implying “no problems with audits if you just buy product (insert product name here!)”. I am sure the over zealous sales pitch is a valid complaint in some instances but it really muddies the water for utilities and compliance managers. How do you make good purchase decision if you are spooked about talking to the vendor? Can you get by without automation?
My point is that the complaint is misleading. In fact, automation is really needed to be compliant with NERC CIPS. Can you imagine trying to track all changes to a computer system by hand? How can you tell that 100 computers meet a standard configuration? By the time you do that by hand you’ll need to start again. But it is a problem if the organization does not take the time and effort to buy carefully. Compliance is complex because it must fit your unique business, and NERC, like many compliance initiatives, does not tell you exactly how to apply controls required to satisfy its goals.
My advice? Treat this with the same diligence as any engineering project. You want the right product for the right problem. Try to put aside knee jerk assumptions about anything until you’ve studied the CIP requirements and come up a plan on your approach to each requirement.
Without going into a complete run down of how to set up and run a compliance effort, I think I can point out a few key elements to your NERC CIP compliance efforts:
1. Plan to invest time and effort into inventory (per CIP-002) and risk assessment to help identify your scope first. And consider the future, which may speak to needing controls on units or systems that are not in scope now (I am speaking specifically of the FERC Order 706, and the updates to existing CIPs). If you plan now, it will help your budget for resources and effort.
2. Before you commit to any new solutions, examine all the CIP requirements (there are 42 high level requirements) in light of the scope of your compliance effort. You should consider getting the NERC (or your regional entity’s) audit worksheets, as this will help you focus on the fact that each solution will require evidence – proof of compliance.
3. Don’t work in a bubble! Plan to include key stakeholders in operations, IT, and internal audit. You will get advice that might be out of scope, but you might gain insight from those groups who may not have understood the compliance requirements. If you don’t have much feedback, consider involving auditors/consultants you may already use for other reliability compliance to help you understand the evidence likely applicable for the CIP-002-009.
4. Finally, speak with vendors about their solutions to various CIP requirements. There really are no Silver Bullets. You will have to integrate new automation into your unique collection of current and future CCA. You will likely have to buy different tools for different CIP areas. And don’t forget you need the tools to help you prove compliance – what kind of evidence will they supply?
By now you know more about the CIP requirements as they fit into your unique environment. And I suspect you will also be able to discern marketing fluff from real value.
Hope this helps, and encourages a less fearful tone about discussing CIP requirements with vendors.