Trend Watch: 2022 and Beyond Will see Maturation of Internal Control Programs
Technology, Politics, Climate, and the Coronavirus will Drive Maturation of Internal Control Programs
Technology, politics, climate, and the Coronavirus pandemic are four conditions that will influence future trends in the energy industry in 2022 and beyond. In response to these conditions, the trend for the near future will be an increase in technology that enables automation, integration, and maturing internal control programs. Tightening internal controls will accommodate the increasing layers of regulations, initiatives, and recommendations driven by local, state, federal, and corporate policies.
This brief will examine each condition and potential impacts. In addition, it will provide strategies to manage internal controls effectively and efficiently for long-term success.
Technology continues to advance at an exponential rate, and with that comes an increased demand for cybersecurity. For examples, consider artificial intelligence, machine learning, virtual reality, augmented reality, blockchain, internet of things, and 5G.
As technology changes, the potential for exploiting that technology changes. Gaps in security are being patched as fast as new ones open up. Cybercrime is a constant threat that is forever evolving. Bad actors are getting smarter.
NERC CIP regulations were initiated in 2008 and have continued to evolve to meet the increasing complexity of the cybersecurity landscape. While the next major overhaul to the CIP standards has been pending for a significant amount of time, we are likely to see it come to fruition in the near future.
Currently, NERC Reliability Standards Under Development Project 2016-02 Modifications to CIP Standards encompasses modifications to 11 standards to address some issues identified in earlier versions of the CIP Standards:
- Cyber Asset and BES Cyber Asset Definition
- Network and Externally Accessible Devices
- Transmission Owner (TO) Control Centers Performing Transmission Operator (TOP) Obligations
These modifications will expand the scope of compliance, and inevitably require changes to NERC CIP internal control and compliance management programs across the industry.
NERC CIP isn’t the only approach to cybersecurity (there are over 25 different cybersecurity frameworks). Furthermore, each framework has a common theme with variations on implementation, including differing scope, timelines, and data requirements. Entities realize that to be secure, it is not sufficient to stay within the confines of NERC CIP and are implementing additional frameworks and extending cyber controls. Blending the desired cybersecurity frameworks with additional corporate initiatives and applying to the affected IT, OT, & IoT ecosystem is a challenge that all entities will face.
The political atmosphere in the United States will continue to shape our future. The current administration has made climate control a top-level priority and we will continue to see more intervention and more regulations than in the prior administration.
The Biden-Harris Administration has made it clear that as a nation, we need to invest in our critical infrastructure. This will mean incentives and regulations to drive towards that goal. There are numerous investments outlined in the Bipartisan Infrastructure Law that will help fund modernization efforts. This includes investment in clean energy with a goal of a “zero-emissions future”, an expansion of transmission lines to support the delivery of that new energy, and attention to make our infrastructure resilient against cyber-attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) is tasked with creating a more secure and resilient infrastructure for the future. Their primary goal is to defend against urgent threats and hazards, and the secondary goal is to strengthen critical infrastructure and address long-term risks.
Cybersecurity and zero-emissions initiatives are frequent at the state level and vary state-to-state. Your controls program must support all states that you operate in.
Extreme weather events have disrupted our lives more frequently in recent years. Whether the cause is global warming, or the natural ebb and flow of weather patterns, future disruptions will continue to affect the generation, transmission, and distribution of energy.
To this point, it is irresponsible to overlook the impact of drought, flood, fire, extreme heat, extreme cold, and strong winds. Communities should strive for a diversity of energy sources with built in redundancy to ensure a reliable system, one that can respond to rapid changes in weather conditions and accommodate extremes. For instance, in February 2021, Texas was crippled due to unprecedented low temperatures. In addition, California is experiencing years of large forest fires. Furthermore, record numbers of hurricanes attack the South & East United States.
There are security and compliance risks inherent in reacting to these extreme weather events – unplanned situations cause us to throw out the rule book and react to the moment. When there is no power, computer systems, and/or communications, we are vulnerable to a variety of issues such as loss of critical data, reduction of physical and cyber security, and compromise to health and safety.
The global pandemic due to Covid-19 has changed our lives in so many ways. This includes a long-term impact to the energy industry. Today, working and learning from home has created a shift in energy demand in the short-term, but the attitudes towards working and learning online have changed permanently.
Step into any grocery store and you can see that the pandemic’s impact on the supply chain. This impact stretches worldwide and across many types of products. Technology required to maintain the BES may be unavailable, delayed, or cost significantly more than before. Unfortunately, this may mean a need to extend the life of existing technology, which warrants additional controls to maintain until the technology is decommissioned.
Additionally, the pandemic has affected the global workforce. Covid-19 has been temporarily or permanently taking workers away from the jobs. Time off to recover from the virus, as well as self-quarantine has kept workers away from their jobs. Furthermore, an increase in early retirement has been hastened by the pandemic and has created a measurable gap in knowledge and experience. It is not sufficient to rely on individuals to execute controls and maintain compliance in a vacuum. Instead, procedures must be well documented, well communicated, and preferably automated to maintain compliance in the event of attrition, illness, or other causes.
Automation, Integration, and Consolidation of Internal Controls
There will be a breaking point. It will no longer be sufficient to have separate departments, groups, or teams for each type of regulation, policy, or initiative. There is so much overlap that they must be coordinated and consolidated enterprise-wide. Plus, manual tracking of controls and compliance data is inefficient and error-prone. It will only become more complex and inefficient as the regulatory landscape evolves.
Typical reasons for automation include reducing human error, eliminating repetitive tasks, and ensuring that tasks are assigned and completed quickly – and on time. A solid internal controls program leverages automation for strong controls, especially for:
- Data collection
- Periodic reviews
- Scheduled activities
- Time-based obligations
When designing controls as part of a cybersecurity program, automation becomes even more critical. Automation creates a guided process for monitoring assets and asset baseline, patch management, change control, access management, and more.
There is no one-size-fits-all software ready to accommodate every requirement. Entities should leverage existing systems and best-in-breed additions to the ecosystem and integrate them together to achieve the best result. For example, consider a NERC CIP Compliance program. A central compliance management software can:
- Receive asset and baseline updates from an asset management system
- Receive patch availability from a patch discovery system
- Interact with a human resources system for user data
- Receive training completion information from an LMS
Automating data feeds can simplify these time intensive tasks, ensure greater accuracy, reduce risk of noncompliance, and serve as cybersecurity controls.
Internal controls and the resulting compliance evidence will be requirements for a myriad of reasons. These include federal, state, and local regulations, corporate initiatives, cybersecurity needs, and dynamic workforce. Consolidating the management of these controls in a single software system will ensure visibility and accountability of those controls. Implementing design controls to meet multiple and similar requirements will ensure that you minimize duplicate effort and maximize efficiency.
Strong internal controls are a requirement for protection against situations and bad actors that can cause harm. Reliability and security are the objective of the controls, while provable compliance is a result. Technology, politics, climate, and the pandemic affect the content of your controls program. As a result, enterprise-wide automation, integration, and consolidation of internal controls is necessary to support an effective program in the future.
Further, consider investing in a software that adapts to meet your needs and grow with you as your ecosystem changes.
Kathryn has over 25 years’ experience in manufacturing systems integration and compliance. At AssurX, she oversees the development and implementation of automation solutions for NERC and other quality and compliance requirements. In addition, Kathryn guides the strategic vision and expansion of opportunities into other regulated markets within the energy sector.