Senior decision-makers come together to connect around strategies and business trends affecting utilities.

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Question

NERC/CIP Challenges?

What do companies find the most challenging when NERC/CIP regulations are updated or changed? How does your company overcome those challenges? The reason I posted the question is because I am learning the industry and wanted to get some feedback from community members. 

Answers

Best Answer

Some resources:

First a paper on cyber security I posted in 2017 (linked below). It discusses the evolution of CIP but is more of a general cyber-security tutorial. It also has many links to other resources, but some of the links may have changed, so you may need to dig a bit. CIP is specific to the electric utility Bulk Electric System (BES, a.k.a. electric utility transmission system).

The second link is to the current NEC CIP regulations. along with some instructions below.

https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

Open the "Subject to enforcement" (click on the plus sign). and you will see the current set of eleven standards.

One problem you may run into is the language. Although these standards actually do not have much cyber-security jargon, the do use many terms commonly used by high level transmission system operators (like CAISO, PJM, etc.). If you run into trouble here let me know, and I can direct you to some additional resources.

-John

Tiffany Aliano's picture
Tiffany Aliano on Jun 26, 2019 9:25 pm GMT

Hello John,

Wow, this is a lot of information thank you. I am reading your "Cyber-Security Basics" article and it is concise and the information is very well laid out. 

It's amazing.  So what I have gathered from your article, is that the advances in technology have created a more convenient way for industries to operate. At the same time, these same automated processes increased vulnerability factors due to remote access (in most cases) where hackers, criminals and retaliating governments alike have grown to become more efficient at penetrating and threatening the security of industrial processes.  Where NERC/CIP regulations are our government's response to prevent and protect said regulated industries from these threats.  And are continually updating regulations to respond to evolving security threats.   

Thank you again so much for your response.  You are a great writer and I really appreciate the resources you have provided, as it helps me gain a better understanding of industry challenges as well as why we have the regulations in place that we do today.

Best,
Tiffany
  

Hello Tiffany. I worked for an ISO for 14 years and had some involvement in the CIP implementation, but no actual compliance duties. Each CIP standard carries it's on set of challenges so each one needs to be understood and planned for. A large portion of the CIP V5 standards are documentation and accounting of assets along with a defined Electronic Security Perimeter that protect cyber assets for the bulk electric system. FERC has taken a more "operational" position with Order 850, which will require process changes by jurisdictional entities to enhance their processes to comply with the new Supply Chain regulations.  Lastly, it all comes down to NERC audits and preparing for these events. Some companies will perform an internal pre-audit check by hiring a firm to perform a "mock audit" in advance of the actual NERC audit.

Hello Tiffany,

NERC/CIP regulations are challenging!  Here are some of the causes that make these standards particularly challenging:

  1. the regulations are to protect the nation's critical infrastructure from physical and cyber attacks so the consequences of failure could be severe;
  2. malicious people do exist and have already attacked substations (e.g. Metcalf) and other nations's power grids (e.g. Ukraine);
  3. the attackers are working on becoming more effective;
  4. the standards themselves are somewhat open to interpretation (e.g. CIP-013 asks organizations to manage supply chain risk); and 
  5. there are major consequences for non-compliance - enforcement fines can be levied at as much as $1M/day!

The good news is that anyone working to help their organization maintain compliance can obtain assistance.  They can ask for help from their ISO, their regional entity, and/or NERC (e.g. https://nerc.net/hotline/ ).  I recommend that people with this task immediately reach out and ask for this help.  Also, I am available to help people if they like.  I've taught a course on NERC/CIP compliance and helped individuals.  I can be contacted at 508-831-6563.

Best,

Mike

Tiffany Aliano's picture
Tiffany Aliano on Jun 26, 2019 8:39 pm GMT

Hello Mike,

I really appreciate your insight and expertise as well as providing some of the causes that make NERC/CIP so challenging.   As mentioned in my question, I am pretty new to the Energy Sector and am learning as I go to better represent my company who offers patch management and other quality and compliance management solutions for the energy industry. 

The information you provided gives me a few ideas of topics I could look into as well as dive deeper as far as application. 

Recently, I have seen a few stories about cyber attacks on smart grids and of course that opened up more questions. As I learn more I understand the need for said regulations as well as why they continually update. 

Thank you again for your response and the link you provided, it's much appreciated. I may need to pick your brain in the future if that's ok?

Best,
Tiffany

Mike Ahern's picture
Mike Ahern on Jun 27, 2019 7:23 pm GMT

Hello Tiffany,

Certainly!  Feel free to call or write (mfahern@wpi.edu).  

Best,

Mike

Hi Tiffany

  Thanks for your questions. James Stanton, Director of Compliance Advisory Services at SOS, and author of my original post, provided the following information in regards to your inquiry:

What do companies find the most challenging when NERC/CIP regulations are updated or changed?

Updating procedures and communicating the changes are two of the biggest challenges. Another major challenge is making sure any changes to existing procedures and processes are accomplished well before the changes take effect. Also, any supplemental training of Subject Matter Experts responsible for the applicable requirements needs to be done well ahead of time. Fortunately, the NERC process for changes and updates is very transparent and the changes can be noted and planned for months in advance the effective dates.

How does your company overcome those challenges?

As noted above, staying aware of the changes and updates in the developmental pipeline is the best way to be prepared and make any adjustments to your compliance program well ahead of time. Change management processes can help by crafting communications to staff responsible for assuring compliance with the affected standard, noting what has changed, what hasn’t changed, what steps need to be taken as per training and documentation to be prepared. Staying ahead of the changes assures smooth transitions and minimizes any surprises.

My take on changing NERC CIP Standards is focused in two areas – technical and business.

From the technical perspective: Utilities know that technology changes quickly and that there will be inevitable changes for NERC CIP technical implementations. One example is the use of virtualization and cloud services. While the NERC CIP Standards don’t currently discuss these new technologies, several utilities are utilizing virtualization in the substation environment and many are curious about the potential of using cloud-based services in the future. These technologies are widely used on the IT side and it makes sense to take the advantages that these advances bring to the operational side. Most utilities have a strategic direction for operational technology and can normally adapt to changes in NERC CIP Standards.

From the business side: Changes to NERC CIP Standards significantly impact the budget and planning cycles for utilities. For most regulated utilities, cybersecurity costs are part of the operational budget and cannot be cost-recovered like capital projects can, so any increase in operational budgets must be covered by reducing budgets for other operational tasks. Fortunately, NERC understands this and typically sets enforcement dates at least 18 months from FERC approval so that utilities can have at least one annual budgeting cycle to determine the impact of increased requirements.

Tap Into The Experience of the Network

One of the great things about our industry is our willingness to share knowledge and experience.

The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.

When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.