By Sam Brattini, KEMA
On June 18, 2007, the electric utility industry in North America experienced an epic change. That’s the day the Federal Energy Regulatory Commission (FERC) mandated that all users, owners and operators of the bulk electric system (BES) comply with the North American Electric Reliability Corp.’s (NERC) reliability standards or be subject to civil penalties for non-compliance. NERC had been appointed by FERC as the electric reliability organization (ERO) with authority to develop and enforce the standards. The standards cover fourteen general topics or families that impact fifteen functional entities defined in the NERC functional model of the BES. (The BES is defined as all circuits operating at 100kv and above.) All users, owners and operators of BES facilities must register with their regional entity as one or more of the functional entities of the model. Each standard is applicable to a subset of the functional entities. Presently, there are 111 standards each including multiple requirements and sub-requirements.
The standards are enforced through periodic audits conducted by the eight regional entities and by self-certification and self-reporting of non-compliance by the registered entities. The eight regional entities cover the contiguous U.S. states, the neighboring Canadian provinces and the Baja of Mexico.
FERC expects each registered entity will develop a compliance program. Salient points to be addressed in a comprehensive compliance program are described in FERC’s revised policy statement on enforcement, May 15, 2008. These points include organization and management, training, documentation, policies and procedures, compliance tracking and non-compliance reporting and mitigation. The main reason for a documented compliance program is to direct the Registered Entity to develop a compliance culture that is sustainable and that includes all resource levels of the corporation from senior management to procedure implementers.
Critical Infrastructure Protection
Compliance with the critical infrastructure protection (CIP) standards is a good example of the effort necessary to meet the requirements. There are nine CIP standards. CIP-001 deals with sabotage reporting, and CIP-002 through CIP-009 deal with cyber security.
CIP-001 has been one of the most violated standards. Registered entities need to have a comprehensive, up-to-date plan to handle a potential sabotage situation if detected for any company facility. The plan must include processes and procedures for identifying a potential sabotage situation and for notifying appropriate personnel. Appropriate personnel include entity employees, parties within the Interconnection, and proper law enforcement authorities.
CIP-002 deals with the identification of critical cyber assets. This standard has gone through a number of revisions over the last four years. Currently, version No. 3 is in effect but version No. 4 has been approved by the FERC and will be implemented in April 2013. Version No. 5 is now in development. In general, CIP-002 is the entry point for the remaining CIP standards. If critical cyber assets are identified, then compliance to the remaining CIP standards, CIP-003 through CIP-009, is mandatory. Compliance to CIP-002 requires three steps: first, the identification of critical assets; second, the identification of cyber assets supporting the critical assets; and third, the identification of those cyber assets that are critical to the operation of the critical asset. In addition, the cyber security senior manager must approve the list of critical assets and critical cyber assets annually. Initially, the method for identifying critical assets was left to the entity. However, to eliminate subjectivity by entities over what is critical, NERC decided to establish “bright line criteria” for all entities to follow. This is the basis for version No. 4. The “bright line criteria” consist of 17 criteria to be used to identify critical assets.
The implementation of CIP-003 through CIP-009 is dependent on the identification of critical cyber assets from CIP-002. The exception is CIP-003, Requirement 2, which requires the identification of a senior manager to take overall responsibility for adherence to CIP-002 through CIP-009. This requirement must be complied with even if critical assets or critical cyber assets are not identified.
The title of each CIP standard dealing with cyber security gives an insight into its purpose:
- CIP-002: Cyber Security—Critical Cyber Asset Identification. Standard CIP-002-4 requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the BES.
- CIP-003: Cyber Security—Security Management Controls. Standard CIP-003-4 requires that Responsible Entities have minimum security management controls in place to protect critical cyber assets.
- CIP-004: Cyber Security—Personnel & Training. Standard CIP-004-4 requires that personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training and security awareness.
- CIP-005: Cyber Security—Electronic Security Perimeter(s). Standard CIP-005-4a requires the identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
- CIP-006: Cyber Security—Physical Security. Standard CIP-006-4 is intended to ensure the implementation of a physical security program for the protection of critical cyber assets.
- CIP-007: Cyber Security—Systems Security Management. Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be critical cyber assets, as well as the other (non-critical) cyber assets within the electronic security perimeter(s).
- CIP-008: Cyber Security—Incident Reporting and Response Planning. Standard CIP-008-4 ensures the identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
- CIP-009: Cyber Security—Recovery Plans for Critical Cyber Assets. Standard CIP-009-4 ensures that recovery plan(s) are put in place for critical cyber assets and that these plans follow established business continuity and disaster recovery techniques and practices.
Version No. 5 of the CIP standards will categorize the criticality of all cyber assets and systems. Registered entities will need to categorize all their cyber assets and cyber systems supporting BES assets as to having high, medium or low impact on the reliable operation of the BES.
The registered entity must prepare not only for an audit, but it also must show it has been conscientious in practicing compliance between audits on a consistent basis. This is done by developing comprehensive evidence and a robust compliance program. It should be remembered that it is not enough to have good processes and procedures, but it is also necessary to have evidence that these have been followed. To accomplish this, the entity should consider performing the following:
- Pre-audit evidence assessments to determine evidence gaps,
- Compliance program development, assessment, and updates,
- Evidence collection, recording, and storage,
- Process and procedure development and updates,
- Compliance database development and maintenance,
- Cyber vulnerability assessment,
- Mock audits after assessments and evidence updates are complete,
- Compliance training, and
- Periodic compliance monitoring of new and revised standards, evidence development projects and resolution of action items resulting from assessments.
The standards are here to stay. NERC is now in the process of revising existing standards to remove ambiguity and to strengthen requirements. The Standards development and revision process is now rooted in a results-based approach that concentrates on performance, risk and competency. NERC is committed to improving the standards and the FERC expects all registered entities to fully comply with them.
Sam Brattini is an executive consultant at KEMA Inc. with extensive experience in the electric utility industry. He currently is KEMA’s director of compliance services and was the chair of the NERC Drafting Team for recently approved Standard EOP-008 for backup facilities. In addition, he’s the chair of the new Real-Time Monitoring and Analysis Capabilities Standard Drafting Team.
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com