Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Trend Watch: 2022 and Beyond Will see Maturation of Internal Control Programs

Technology, politics, climate, and the Coronavirus pandemic are four conditions that will influence future trends in the energy industry. In response to these conditions, the trend for the near future will be an increase in technology that enables automation, integration, and consolidation of internal controls. Tightening internal controls will accommodate the increasing layers of regulations, initiatives, and recommendations driven by local, state, federal, and corporate policies.

This brief will examine each condition and potential impacts. In addition, it will provide strategies to manage internal controls effectively and efficiently for long-term success.

Technology, Politics, Climate, and Coronavirus

Technology

Technology continues to advance at an exponential rate, and with that comes an increased demand for cybersecurity. Examples include artificial intelligence, machine learning, virtual reality, augmented reality, blockchain, internet of things, and 5G. 

As technology changes, the potential for exploiting that technology changes. Gaps in security are patched as fast as new ones open up. Cybercrime is a constant threat that is forever evolving. Bad actors are getting smarter.

NERC CIP regulations were initiated in 2008 and have continued to evolve to meet the increasing complexity of the cybersecurity landscape. While the next major overhaul to the CIP standards has been pending for a significant amount of time, we are likely to see it come to fruition in the near future.

Currently, NERC Reliability Standards Under Development Project 2016-02 Modifications to CIP Standards encompasses modifications to 11 standards to address some issues identified in earlier versions of the CIP Standards:

  • Cyber Asset and BES Cyber Asset Definition
  • Network and Externally Accessible Devices
  • Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations
  • Virtualization

These modifications will expand the scope of compliance, and inevitably require changes to NERC CIP internal control and compliance management programs across the industry.

While NERC CIP isn’t the only approach to cybersecurity (there are over 25 different cybersecurity frameworks), each framework has a common theme with variations on implementation, including differing scope, timelines, data required. Entities realize that to be secure, it is not sufficient to stay within the confines of NERC CIP and are implementing additional frameworks and extending cyber controls. Blending the desired cybersecurity frameworks with additional corporate initiatives and applying to the affected IT, OT, & IoT ecosystem is a challenge that all entities will face.

Politics

The political atmosphere in the United States will continue to shape our future. The current administration has made climate control a top-level priority and we will continue to see more intervention and more regulations than in the prior administration.

The Biden-Harris Administration has made it clear that as a nation, we need to invest in our critical infrastructure. This will mean incentives and regulations to drive towards that goal. There are numerous investments outlined in the Bipartisan Infrastructure Law that will help fund modernization efforts. This includes investment in clean energy with a goal of a “zero-emissions future”, an expansion of transmission lines to support the delivery of that new energy, and attention to make our infrastructure resilient against cyber-attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) is tasked with creating a more secure and resilient infrastructure for the future. Their primary goal is to defend against urgent threats and hazards, and the secondary goal is to strengthen critical infrastructure and address long-term risks.

Cybersecurity and zero-emissions initiatives are frequent at the state level and vary state-to-state. Your controls program must support all states that you operate in.

Climate

Extreme weather events have disrupted our lives more frequently in recent years. Regardless of whether severe events are caused by global warming, or just the natural ebb and flow of weather patterns across time, future disruptions will continue to affect the generation, transmission, and distribution of energy.

It is irresponsible to overlook the impact of drought, flood, fire, extreme heat, extreme cold, and strong winds. Communities should strive for a diversity of energy sources with built in redundancy to ensure a reliable system, one that can respond to rapid changes in weather conditions and accommodate extremes. In February 2021, Texas was crippled due to unprecedented low temperatures. California has had years of horrible forest fires. Record numbers of hurricanes attack the South & East.

There are security and compliance risks inherent in reacting to these extreme weather events - unplanned situations cause us to throw out the rule book and react to the moment. When there is no power, computer systems, and/or communications, we are vulnerable to a variety of issues such as loss of critical data, reduction of physical and cyber security, and compromise to health and safety.

Pandemic

The global pandemic due to Covid-19 has changed our lives in so many ways, some of which have resulted in a long-term impact to the energy industry.

Working and learning from home has created a shift in energy demand in the short-term, but the attitudes towards working and learning online have changed permanently.

Step into any grocery store and you can see that the supply chain has been impacted by the pandemic. This impact stretches worldwide and across many types of products. Technology required to maintain the BES may be unavailable, delayed, or cost significantly more than before. This may mean extending the life of existing technology, which warrants additional controls to maintain until the technology is decommissioned.

Additionally, the pandemic has affected the global workforce. Covid-19 has been temporarily or permanently taking workers away from the jobs.  Time off to recover from the virus, as well as self-quarantine has kept workers away from their jobs.  Furthermore,  an increase in early retirement has been hastened by the pandemic and has created a measurable gap in knowledge and experience. It is not sufficient to rely on individuals to execute controls and maintain compliance in a vacuum. Instead, procedures must be well documented, well communicated, and preferably automated to maintain compliance in the event of attrition, illness, or other causes.

Automation, Integration, and Consolidation of Internal Controls

There will be a breaking point. It will no longer be sufficient to have separate departments, groups, or teams for each type of regulation, policy, or initiative. There is so much overlap that they must be coordinated and consolidated enterprise-wide. Manual hands-on tracking of controls and compliance data is inefficient and error-prone and will only become more complicated and time consuming as the regulatory landscape evolves.

Automation

Typical reasons for automation include reducing human error, eliminating repetitive tasks, and ensuring that tasks are assigned and completed quickly and on time.

A solid internal controls program leverages automation for strong controls especially for the following:

  • Data collection
  • Periodic reviews
  • Scheduled activities
  • Time-based obligations

When designing controls as part of a cybersecurity program, automation becomes even more critical for monitoring assets and asset baseline, patch management, change control, access management, and more.

Integration

There is no one-size-fits-all software ready to accommodate every requirement. Entities should leverage existing systems and best-in-breed additions to the ecosystem and integrate them together to achieve the best result. For example, consider a NERC CIP Compliance program with a central compliance management software that receives asset and baseline updates from an asset management system, receives patch availability information from a patch discovery system, interacts with a human resources system for user data, and receives training completion information from a learning management system. Automated data feeds can be used to simplify these time intensive tasks, ensure greater accuracy, reduce risk of noncompliance, and serve as cybersecurity controls.

Consolidation

As outlined above, internal controls and the resulting compliance evidence will be required for a myriad of reasons such as federal, state, and local regulations, corporate initiatives, cybersecurity needs, and dynamic workforce. Consolidating the management of these controls in a single software system will ensure visibility and accountability of those controls. Designing controls to meet multiple similar requirements rather than being single-focused will ensure that you minimize duplication of effort.

Conclusion

Strong internal controls are required for protection against situations and bad actors that can cause harm. Reliability and security are the objective of the controls, while provable compliance is a result. Technology, politics, climate, and the pandemic affect the content of your controls program. Enterprise-wide automation, integration, and consolidation of internal controls will be necessary to support an effective program today and into the future.

Invest in a software that can adapt to meet your needs and grow with you as your ecosystem changes.