July 9, 2024
In this 2-part blog series, we will be discussing the current NERC Regional framework for ensuring energy reliability. Highlighting the differences in federal, regional, and Canada agencies, addressing CIP requirements for collaboration, security protocols and collaboration.
This blog provides an overview of the NERC Regional Framework and starts to identify the regulator’s role in the reliability, security, and resilience of the electric grid.
New to NERC Compliance: What Did I Do Wrong?
You studied hard in school to get your IT certifications and training. Invested countless hours into honing your skills, dreaming of the day when you would land your dream job with a great company. Envisioned yourself configuring mission-critical networks, updating software to keep the company secure, and delving into the intricacies of the most innovative enterprise software platform implementations. Believed that your knowledge in these complex technologies would be your ticket to success. Enhancing your resume and opening doors to new opportunities leading you to a successful, rewarding, and lucrative career.
You finally get that job offer that you’ve been waiting for and you were going to be part of the IT team at the largest power company in the town you grew up in. All your hard work has paid off! However, as you step into the world of the power industry, you quickly realize that a significant portion of your job revolves around supporting NERC compliance. Rather than dabbling in the cutting-edge technologies you had anticipated. Instead of your role being a pioneer of innovation and playing with cool stuff, most of your job is checking a box for something (and being able to prove it). You’re in the role because you have that needed IT knowledge, you are uniquely qualified to pull baseline information from OT assets. Deploy patches in critical infrastructure environments that enable the grid, and understand the difference between IT and OT.
Wait, is it NERC or FERC? Save
Well, it is sort of both. NERC was created by FERC (Federal Energy Regulatory Commission) to be a collaboration of the regulated entities that build standards for NERC compliance requirements based on FERC’s decisions. So, the industry creates the language and wording, approves it, then it has to go to FERC for approval. This process is a long one and watching the sausage being made is both enlightening and frustrating. It’s a world where you can argue over the definition of the word ‘vendor’ for 90 minutes to not reach a consensus.
The good news is that if you’re good at what you do with supporting NERC compliance efforts and understanding cyber security best practices for critical infrastructure, you’ll be gainfully employed until you decide to retire! And you can honestly say that you are helping safeguard America’s most critical of critical infrastructure, the grid, which gives you an important job and a purpose.
Well, here you are, and this is your job. We all recognize that in today’s interconnected world, reliable and secure energy infrastructure is crucial to sustaining our modern way of life. The North American Energy Reliability Corporation (NERC) plays a pivotal role in safeguarding the stability and resilience of the electric grid across North America. Your job is an important one.
NERC CIP
As you look back on that moment when you were offered the position, the term NERC CIP was a new one, and you couldn’t even spell it if asked after hearing it for the first time. By now, you know it stands for Critical Infrastructure Protection, and it has become your primary focus. NERC CIP primarily focuses on protecting critical infrastructure and assets within the ESP (Electronic Security Perimeter), meaning if this ‘thing’ goes down, you risk having an outage.
CIP requirements also focus on things like access to these systems or assets as well – from both a physical and cyber security perspective. You’ll need to keep up with how these cyber systems got here and where did they come from with the supply chain requirements. You begin to unpack your seemingly endless training needed to be successful, you discover that you have 14 standards to delve into on the CIP side and there’s a completely different set of standards with NERC 693 requirements on the Operations and Planning side. You’ll probably need to become an expert in at least two of them – and fast! You’ll typically find that the smaller the power company, the more hats you need to wear. As you dive in and think you are starting to grasp the complex web of NERC regulations, your Manager of Compliance introduces you to the concept of your regional entity and the audit team expected later in the year.
What happens if you’re wrong, or can’t find proof that you’re right (compliant) when the auditor is asking you to show them something? The entity, which is now your employer, can be cited or fined (as much as a million dollars a day for a single incident). No one wants that to be how their day went.
Regional Entities
I’ll use my remaining words here in the blog post to break down the different regions in the NERC footprint and shed a little light on the regional audit approach, providing you with the basics of a foundation of what you need to know. Let’s take a look at how NERC works and understand the importance of regional enforcement. This blog post aims to simplify the workings of NERC’s regional entities, shedding light on their purpose, structure, and enforcement mechanisms.
The Mission
First, it is essential to grasp the overarching mission of this regulatory organization. NERC’s primary objective is to ensure the reliability and security of the Bulk Electric System, spanning the United States, Canada, and a portion of Mexico. By developing and enforcing a set of mandatory standards, NERC strives to maintain the integrity and resilience of this critical infrastructure. But the R in NERC stands for Reliability and that’s the goal. I’ve talked with auditors before in an effort to better understand their job and their mindset and I remember a former RF auditor reminding me that the RF stands for Reliability First. That’s the mission of the NERC Regional Entities.
To effectively manage and enforce the standards, NERC originally established eight regional entities within North America. The regional entity in Florida folded and was absorbed by SERC and the regional entity in the middle of the country, SPP, had most of their footprint move to MRO. These entities serve as the front-line regulators, responsible for compliance monitoring, enforcement, and support activities within their respective regions. Their main objectives include facilitating communication and collaboration, conducting audits and assessments, and promoting consistent adherence to NERC standards.
Each regional entity operates within a designated geographic region and is composed of industry experts, regulatory professionals, and technical specialists. These entities act as the intermediary between NERC and the utilities, ensuring that compliance efforts are effectively implemented and monitored. They work closely with utilities, government agencies, and other stakeholders to foster a culture of reliability and enhance the security of the electric grid.
The Audits
Regional entities used to be pretty unique in their approach to audits and one region might focus on one area of NERC CIP and another would focus on another. There were regions, and even particular auditors, that were tougher than others. Multi-regional audits were the most challenging as you had individuals from different regions all trying to be the smartest person in the room. The conversation could go anywhere and in NERC compliance, the hardest part is that you have to be right every single time. You have to be able to prove things from the past, perhaps as long as 3 years ago.
The desired success of NERC’s regional entities hinges on collaboration and information sharing among various stakeholders to make the entities better at building their process, following their process, and most importantly, being able to prove that you followed your process. Recognizing the interconnected nature of the power industry, these entities facilitate the exchange of best practices, lessons learned, and emerging threats within their regions. They also serve as a valuable resource for utilities, offering guidance and support to enhance compliance and reliability.
As the energy utility space continues to evolve, NERC’s regional entities face new challenges and opportunities. With the increasing supply of renewable energy sources, advancements in technology, and emerging cyber threats, the role of these entities in ensuring a resilient and secure grid becomes even more critical. To adapt to these changes, regional entities are always evolving their enforcement strategies and doing their best to foster innovation and collaboration.
Bringing It Home
NERC’s regional entities are the backbone of compliance and enforcement efforts within the North American electric grid. By having a better understanding of the purpose, structure, and functions of these entities. Professionals in the power industry can navigate the complex landscape of NERC compliance with greater confidence. As the energy sector continues to evolve, NERC’s regional entities will play a vital role in upholding the integrity of our critical infrastructure, fostering collaboration, and addressing emerging challenges. And they can fine your company millions of dollars if you don’t get it all right. Welcome to your role in NERC CIP compliance!
All the NERC regional entities (RE’s) gave the same primary mission; to uphold the reliability of the electric grid by developing and enforcing mandatory reliability standards. They work to ensure that utilities, transmission operators, and other stakeholders within their jurisdiction adhere to these standards, which cover various aspects such as transmission planning, operations, maintenance, and cybersecurity.
Join us for Part 2 of this blog series where we discuss the importance and impact of regional audits and call out the different regional entities and how they are structured.
View our recent webinar, where we dive deeper into practical solutions to streamline CIP-004 compliance in your organization.
About the Author
Scott Crow is the Senior Business Systems Strategist – Energy & Utilities at AssurX. Scott has a proven track record of delivering successful IT/OT solutions that solve the challenges of cyber security for Critical Infrastructure. Passionate about bringing better ways of solving business problems through innovation to the marketplace and specializing in the intersection of people, technology and process.
