NERC/FERC Compliance Standards Too Vague, Former Official Says
Confused by FERC’s sometimes vague compliance requirements? You’re not alone – FERC might be, too.
That’s the startling revelation we got recently from a man who ought to know: Randal Blanchette left the agency in September to join Abidance Consulting. At FERC, Randal was a cyber security specialist in the Office of Electric Reliability. He’s done audits on utilities large and small, and he’s seen it all.
“I was there at the creation” of the CIP 002-009 Standards, Randal adds. He’s uniquely positioned to help companies navigate these regulations, he argues, because he’s the only one involved at this level who has since left FERC. “Not to toot my own horn, but I understand what is happening and no one who has left FERC was in the position I was in,” Randal says.
So far, FERC’s efforts to provide more specific standards and requirements have been hamstrung by internal disagreements and an overarching desire to develop standards that “are defensible in court,” the former FERC official says. That makes some sense, since a standard that won’t hold up in court loses a lot of regulatory teeth, Randal agrees, but that focus has sometimes made it difficult for FERC to offer much in the way of specifics. And it’s left a lot of regulated entities scratching their heads.
“The creation of the CIP 002-009 Standards by NERC with approval from FERC [presented industry with] many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand,” Abidance Consulting’s James Holler has written on this blog.
“Many of the regulated entities I audited or came in contact with didn’t understand the ramifications of non-compliance” with the regulations, Randal says. Worse still, many thought they were in compliance when they actually weren’t. “Many don’t have a good sense of what’s expected of them and how to comply.”
While regulated entities should get some sympathy for having to grapple with sometimes vague regulations, they still have to find ways to comply, Randal notes.
Making matters more complicated, Randal adds, is that there is a lot of “misinformation” out there in cyberland about what constitutes compliance proven reporting procedures. Chatter and informal “advice” on the Internet is only adding to the compliance ambiguity faced by many regulated entities.
But there is some relatively good news, Randal says. The new CIP 010 and 011 standards are “more specific and helpful, but we’re still not there yet.”
Progress not perfection, as they say.