The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

IT'S ALL GREEK TO ME

Ruben Arredondo's picture
General Counsel REGIME, LLC

Cybersecurity attorney and SME specializing in FERC and NERC CIP compliance, with over 15 years of experience bridging the intersection between legal, technical, and regulatory challenges....

  • Member since 2021
  • 3 items added with 315 views
  • Nov 22, 2021
  • 168 views

CIP-002-5.1a-R1, CIP-004-6-R4, CIP-010-2-R4, ISO/IEC 27001:2013 A.8.1.1, ISA 62443-2-1:2009 4.3.2.6.5, NIST 800-53, SA-9, SA-11

Imagine being a compliance manager tasked with knowing those acronyms and numbers, how they related to protecting utility plant, cyber assets, or data and asked to implement related protections. For some of us (including me) we may read them and feel hopeless.

As a “prosecuting attorney” for WECC investigating and litigating against entities that were in violation of the CIP standards, I saw both small and large entities violate CIP standards and struggle to remediate systemic issues resulting from their CIP implementation. Almost uniformly, however, I saw that the most effective entities---big or small, managed their compliance programs as one great whole, focusing on the tasks and objectives of each regulatory regime and less on managing gaps and silos within distinct business units. 

One great tool for those seeking to align regulatory regimes is a tool NERC working groups recently created. It compared the tasks and objectives inherent in NERC CIP, NIST, CIS CSC, COBIT, ISA, ISO and did a “direct line” comparison between them. The tool gives entities a cheat sheet on how to build the foundation for a compliance program that spans multiple regulatory regimes. It helps entities stop thinking of standards as strictly unrelated "rules" and focus more on fundamental and familiar concepts like identifying and managing assets, managing supply chain risk, managing configuration change control processes, monitoring access controls, etc.   If an entity focuses on similarities amongst fundamental concepts, it’s easier to draft policies that will be less focused on mere “compliance” and more on actual protection of their physical and virtual assets. Can you see how you this process, though more tedious up front, would be easier to maintain in the long run? how this results in a more holistic approach instead of piecemeal one? how a compliance program with these foundations could dynamically adapt to future changes? 

 

Your access to Member Features is limited.

Ruben Arredondo's picture
Thank Ruben for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Nov 22, 2021

Almost uniformly, however, I saw that the most effective entities---big or small, managed their compliance programs as one great whole, focusing on the tasks and objectives of each regulatory regime and less on managing gaps and silos within distinct business units. 

Are the organizations that failed to take this approach doing so because they are trying to not invest more than is needed (in their minds), or is there more of an ignorance on those cause/effects?

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »