IT'S ALL GREEK TO ME
- Nov 20, 2021 7:12 am GMT
CIP-002-5.1a-R1, CIP-004-6-R4, CIP-010-2-R4, ISO/IEC 27001:2013 A.8.1.1, ISA 62443-2-1:2009 184.108.40.206.5, NIST 800-53, SA-9, SA-11
Imagine being a compliance manager tasked with knowing those acronyms and numbers, how they related to protecting utility plant, cyber assets, or data and asked to implement related protections. For some of us (including me) we may read them and feel hopeless.
As a “prosecuting attorney” for WECC investigating and litigating against entities that were in violation of the CIP standards, I saw both small and large entities violate CIP standards and struggle to remediate systemic issues resulting from their CIP implementation. Almost uniformly, however, I saw that the most effective entities---big or small, managed their compliance programs as one great whole, focusing on the tasks and objectives of each regulatory regime and less on managing gaps and silos within distinct business units.
One great tool for those seeking to align regulatory regimes is a tool NERC working groups recently created. It compared the tasks and objectives inherent in NERC CIP, NIST, CIS CSC, COBIT, ISA, ISO and did a “direct line” comparison between them. The tool gives entities a cheat sheet on how to build the foundation for a compliance program that spans multiple regulatory regimes. It helps entities stop thinking of standards as strictly unrelated "rules" and focus more on fundamental and familiar concepts like identifying and managing assets, managing supply chain risk, managing configuration change control processes, monitoring access controls, etc. If an entity focuses on similarities amongst fundamental concepts, it’s easier to draft policies that will be less focused on mere “compliance” and more on actual protection of their physical and virtual assets. Can you see how you this process, though more tedious up front, would be easier to maintain in the long run? how this results in a more holistic approach instead of piecemeal one? how a compliance program with these foundations could dynamically adapt to future changes?
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.