Remaining compliant with a bevy of regulatory issues weighs heavy on many electrical utility companies that already have enough to worry about. And when the time comes for a NERC audit, many executives are sent scrambling. Unfortunately, with a lack of reliable information, companies remain in the dark on NERC compliance. Plan for these upcoming audits by segmenting standards and creating a forward-looking solution.
Creating a NERC Compliance Plan
First, take apart all the standards and sectionalize them. NERC has done a decent job of trying to separate these into groups. For instance, Cyber Security has standards that go from CIP 001-009. However, if you break apart all the different issues that go into just those standards, you will no doubt have a million different action items on your plate. My specialty and focus has been on CIP 4, because this is where I have listened to a lot of screaming clients who have become frustrated with the auditing process taking place. The fines that these audits generate can cost upwards of $7,500 per person per day. I was recently at the TechAdvantage Expo in Atlanta, and spoke with many industry executives who said they have had to pay fines of several hundred thousand dollars and more for not complying with CIP 4.
The best thing to do is break apart the standards and review each one in detail and then parse them out to your different department heads, who can be made responsible for implementation. As the NERC compliance plan manager, you will need to get buy in from your senior management so that they will dictate to your peers the fact that they will need to report to you on their findings. You will need to coordinate their efforts and then tell your senior management you want to provide them with updates on the plan bi-weekly or at least monthly. By doing this, it will help keep them engaged and continue to provide you with the resources you need to devise a NERC compliance plan.
Let's just take, for example, the Cyber Security standards. The very name could be a little misleading because it would imply that this standard should go to your IT department. They are the ones that will need to implement all kinds of cool techno stuff that will provide you with cyber intrusion protection tools, right? Not necessarily. Take for example the CIP 004. This clearly states that you must have a system in place for conducting awareness training, background risk assessments, and access documentation and credentialing on all of your employees and contractors. You may now look at this and then realize this is more of a security department or HR concern rather than a technical one.
Second, when you're looking for vendors to help you analyze all of the different options, remember this one true statement. No single company has a system to manage all NERC compliance plan issues. I've seen it many times before where companies advertise that they can make you NERC compliant by just hiring them. This is a fallacy. There are many consulting companies out there that are very reputable and can certainly assist you with the interpretation and development of a NERC compliance plan, but they cannot implement the systems and technology to make you compliant. I go back to the CIP 4 standard for Cyber Security where vendors proclaim to be able to achieve compliance in a certain time frame. One of the most important issues as part of that standard is conducting a risk assessment background check on anyone that has access to critical assets. To do a background check, you need to be a certified CRA (Credit Reporting Agency). But even to this same point, doing things that might involve other pieces of that standard, for instance handling encryption and password protection of those assets that same company would not be the correct fit.
Remember that creating a NERC compliance plan is a goal driven task. Have yourself or a consulting company review the different aspects of NERC that apply and coordinate with your top managers to make this a goal for you and your peers.
Implementing a NERC Compliance Plan
One of the morals of this story is to get your suppliers to illustrate how they comply with a specific standard of NERC. If they say they comply with multiple standards, then ask them to show you how and run it by NERC for verification. Also, make sure their pricing is in line with how they sell it to you. There are multiple occurrences where a vendor will sell something to one company and then turn around and sell the exact same thing to another company but at a much higher mark up since there is a regulation surrounding that industry. Don't be fooled by those gimmick tactics and allow vendors to prey on your fear of not having a NERC compliance plan in place.
In summary, get a breakdown of which standard applies directly to you, create a matrix chart of which pieces of which standard apply to what departments, get your senior managers involved to dictate these goals to your peers and provide them with updates. Then, when going out to vendors, have them prove how it directly relates to a NERC compliance plan; ask them if they sell that same tool to others and how much it is. Doing these things in this order will help you become the go-to person on regulatory issues, and, in a utility company...that is highly valued.
