- Jun 4, 2019 11:15 am GMT
- 1004 views
What do companies find the most challenging when NERC/CIP regulations are updated or changed? How does your company overcome those challenges? The reason I posted the question is because I am learning the industry and wanted to get some feedback from community members.
Member since 2013
Senior Consultant, Microgrid Labs
First a paper on cyber security I posted in 2017 (linked below). It discusses the evolution of CIP but is more of a general cyber-security tutorial. It also has many links to other resources, but some of the links may have changed, so you may need to dig a bit. CIP is specific to the electric utility Bulk Electric System (BES, a.k.a. electric utility transmission system).
The second link is to the current NEC CIP regulations. along with some instructions below.
Open the "Subject to enforcement" (click on the plus sign). and you will see the current set of eleven standards.
One problem you may run into is the language. Although these standards actually do not have much cyber-security jargon, the do use many terms commonly used by high level transmission system operators (like CAISO, PJM, etc.). If you run into trouble here let me know, and I can direct you to some additional resources.
Reliable Energy Analytics LLC
Member since 2018
Senior Consultant, Reliable Energy Analytics LLC
Hello Tiffany. I worked for an ISO for 14 years and had some involvement in the CIP implementation, but no actual compliance duties. Each CIP standard carries it's on set of challenges so each one needs to be understood and planned for. A large portion of the CIP V5 standards are documentation and accounting of assets along with a defined Electronic Security Perimeter that protect cyber assets for the bulk electric system. FERC has taken a more "operational" position with Order 850, which will require process changes by jurisdictional entities to enhance their processes to comply with the new Supply Chain regulations. Lastly, it all comes down to NERC audits and preparing for these events. Some companies will perform an internal pre-audit check by hiring a firm to perform a "mock audit" in advance of the actual NERC audit.
Worcester Polytechnic Institute
Member since 2016
Director, Worcester Polytechnic Institute
NERC/CIP regulations are challenging! Here are some of the causes that make these standards particularly challenging:
- the regulations are to protect the nation's critical infrastructure from physical and cyber attacks so the consequences of failure could be severe;
- malicious people do exist and have already attacked substations (e.g. Metcalf) and other nations's power grids (e.g. Ukraine);
- the attackers are working on becoming more effective;
- the standards themselves are somewhat open to interpretation (e.g. CIP-013 asks organizations to manage supply chain risk); and
- there are major consequences for non-compliance - enforcement fines can be levied at as much as $1M/day!
The good news is that anyone working to help their organization maintain compliance can obtain assistance. They can ask for help from their ISO, their regional entity, and/or NERC (e.g. https://nerc.net/hotline/ ). I recommend that people with this task immediately reach out and ask for this help. Also, I am available to help people if they like. I've taught a course on NERC/CIP compliance and helped individuals. I can be contacted at 508-831-6563.
PR Director, Certified Trainer
Member since 2017
PR Director, Certified Trainer, SOS Intl
Thanks for your questions. James Stanton, Director of Compliance Advisory Services at SOS, and author of my original post, provided the following information in regards to your inquiry:
What do companies find the most challenging when NERC/CIP regulations are updated or changed?
Updating procedures and communicating the changes are two of the biggest challenges. Another major challenge is making sure any changes to existing procedures and processes are accomplished well before the changes take effect. Also, any supplemental training of Subject Matter Experts responsible for the applicable requirements needs to be done well ahead of time. Fortunately, the NERC process for changes and updates is very transparent and the changes can be noted and planned for months in advance the effective dates.
How does your company overcome those challenges?
As noted above, staying aware of the changes and updates in the developmental pipeline is the best way to be prepared and make any adjustments to your compliance program well ahead of time. Change management processes can help by crafting communications to staff responsible for assuring compliance with the affected standard, noting what has changed, what hasn’t changed, what steps need to be taken as per training and documentation to be prepared. Staying ahead of the changes assures smooth transitions and minimizes any surprises.
Senior Project Engineer
Member since 2018
Senior Project Engineer, POWER Engineers
My take on changing NERC CIP Standards is focused in two areas – technical and business.
From the technical perspective: Utilities know that technology changes quickly and that there will be inevitable changes for NERC CIP technical implementations. One example is the use of virtualization and cloud services. While the NERC CIP Standards don’t currently discuss these new technologies, several utilities are utilizing virtualization in the substation environment and many are curious about the potential of using cloud-based services in the future. These technologies are widely used on the IT side and it makes sense to take the advantages that these advances bring to the operational side. Most utilities have a strategic direction for operational technology and can normally adapt to changes in NERC CIP Standards.
From the business side: Changes to NERC CIP Standards significantly impact the budget and planning cycles for utilities. For most regulated utilities, cybersecurity costs are part of the operational budget and cannot be cost-recovered like capital projects can, so any increase in operational budgets must be covered by reducing budgets for other operational tasks. Fortunately, NERC understands this and typically sets enforcement dates at least 18 months from FERC approval so that utilities can have at least one annual budgeting cycle to determine the impact of increased requirements.
Tap Into The Experience of the Network
One of the great things about our industry is our willingness to share knowledge and experience.
The Energy Central Q&A platform allows you to easily tap into the experience of thousands of your colleagues in utilities.
When you need advice, have a tough problem or just need other viewpoints, post a question. Your question will go out to our network of industry professionals and experts. If it is sensitive, you can post anonymously.
Ask a question now »