How to Interpret a NERC Requirement
As many of you know, neither FERC, NERC or your Regional Entity (FRCC, MRO, NPCC, RFC, SERC, SPP, TRE, WECC) has been willing to give any kind of interpretation for many of the NERC requirements. For example, if you want to know what the definition of annual is, neither NERC nor any of the regional entities will give you a “hard answer”.
With that said, here is a piece of information you may want to hold onto. If a requirement has not been officially interpreted in writing by the regional entity or NERC or by a FERC Order, Ruling or case decision, then the registered entity can choose its own interpretation as it applies to best business and utility practices for their environment. This interpretation should stand up in court and it is, for a lack of better words, FERC’s Achilles Heel. The registered entity interpretation must be in writing and widely disseminated throughout the organization if the registered entity expects their interpretation to hold up.
Here is an example of an interpretation – feel free to use the one we are providing – that you could use for CIP-008, R1.1:
Procedures to characterize and classify events as reportable Cyber Security Incidents
The response plan must allow for characterizing a reportable Cyber Security Incident by determining if the incident is/was malicious or not, equipment/property was stolen and/or destroyed, length of the incident (if cyber, how long the attack, etc., went on for), are you able to recover from the incident or not – if you can recover, how long will it take.
The response plan must allow for you to classify the reportable Cyber Security Incident by determining if the incident was a reoccurring incident, one-time event or a peripherally related attack, etc. Was the incident detrimental or not to the operations. Was the incident preventable?
As a registered entity, please be reminded that you need to use common business sense and good utility practice when creating/presenting your interpretation(s). Do not interpret a requirement as being something that it clearly is not. In other words, don’t interpret sabotage in CIP-001 as being only an event that is caused by a terrorist. A perfectly acceptable method is to look up the definition of sabotage in the dictionary and use that definition as a guide or starting point.
The information given in this document was garnered through conversations and Q&A sessions with various members of FERC, NERC and several regional entities.
James Holler is founder of Abidance Consulting.