NERC/FERC Compliance Standards Too Vague, Former Official Says

Article title
logo

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Confused by FERC’s sometimes vague compliance requirements? You’re not alone – FERC might be, too.

That’s the startling revelation we got recently from a man who ought to know: Randal Blanchette left the agency in September to join Abidance Consulting. At FERC, Randal was a cyber security specialist in the Office of Electric Reliability. He’s done audits on utilities large and small, and he’s seen it all.

“I was there at the creation” of the CIP 002-009 Standards, Randal adds. He’s uniquely positioned to help companies navigate these regulations, he argues, because he’s the only one involved at this level who has since left FERC. “Not to toot my own horn, but I understand what is happening and no one who has left FERC was in the position I was in,” Randal says.

So far, FERC’s efforts to provide more specific standards and requirements have been hamstrung by internal disagreements and an overarching desire to develop standards that “are defensible in court,”  the former FERC official says. That makes some sense, since a standard that won’t hold up in court loses a lot of regulatory teeth, Randal agrees, but that focus has sometimes made it difficult for FERC to offer much in the way of specifics. And it’s left a lot of regulated entities scratching their heads.

“The creation of the CIP 002-009 Standards by NERC with approval from FERC [presented industry with] many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand,” Abidance Consulting’s James Holler has written on this blog.

“Many of the regulated entities I audited or came in contact with didn’t understand the ramifications of non-compliance” with the regulations, Randal says. Worse still, many thought they were in compliance when they actually weren’t.  “Many don’t have a good sense of what’s expected of them and how to comply.”

While regulated entities should get some sympathy for having to grapple with sometimes vague regulations, they still have to find ways to comply, Randal notes.

Making matters more complicated, Randal adds, is that there is a lot of “misinformation” out there in cyberland about what constitutes compliance proven reporting procedures.  Chatter and informal “advice” on the Internet is only adding to the compliance ambiguity faced by many regulated entities.

But there is some relatively good news, Randal says. The new CIP 010 and 011 standards are “more specific and helpful, but we’re still not there yet.”

Progress not perfection, as they say.

Showing 6 comments
  • Reply

    Gee, FERC is confused. I’m shocked…………NOT!

    When have we ever seen FERC really step up and take the regulatory bull by the horns? I can’t remember ever being proud of their work as a kick-ass regulator. In fact, FERC comes closest to being the perfect example of the “capture theory” of regulation: a regulatory agency completely captive of the industry it regulates.

    This is a great article, Mike. As usual you give us some of the real inside scoop. This kind of information is not very easily accessible, and even less available to the general public. Great job!

  • Reply

    Mike,

    One thing you and your readers can be assured of…Abidance Consulting will be creating blogs for AssurX that will focus on what is going on in the NERC/FERC world for as long as your readers want us to. We will also be “policing” sites like LinkedIn to ensure that all of the mis-information does not go on without us blowing the lid off of those who have no idea what they are talking about. Randal’s hiring from FERC is just the beginning as we are bringing on additional “big guns” from them and other regulatory bodies in the near future to help our clients become compiant and to gain an inside knowledge of what is expected at all times.

    • Reply

      Michael, Great article!

      James, Thank you for your support with continued blogs and articles. Well done.

  • Reply

    I agree with James. There’s way too much misguided information out there on the social media sites.

pingbacks / trackbacks

Leave a Reply