A Weak NERC CIP Program Can Cost You More Than Just A Fine
With more and more emphasis being placed on the CIP requirements, some NERC registered entities may be tempted to “relax” and decide that they are not deemed classified as a Critical Asset. A word of advice: Take a deep breath and think carefully. If you think that it is just too hard to get compliant and the easiest solution is to just declare that you are not critical, you are very mistaken. A poor NERC CIP Program can cost more than a fine.
Several attorneys that work in the NERC space have commented that those who deliberately or appear to have otherwise deemed themselves to not be critical simply to avoid having to comply, will most likely face egregious fines from NERC…and we’re talking in the millions of dollars. On the same side of this coin, if your CIP program is so weak that you are judged to not be in compliance, you could suffer much larger financial losses, in addition to any fines, if you are the victim of a cyber attack or an interruption due to your failure to comply.
NERC and FERC have made it very clear from the beginning that they are serious about having registered entities comply with their rules and regulations. Since June 2007, NERC fines total more than $35 million and the FERC fines are almost $120 million.
If your organization doesn’t have the appropriate staff on hand to get the job done, then you have two valid options: 1) hire the appropriate staff, or 2) hire a competent consulting firm. Don’t think that you, as a registered entity, are going to be able to “slip one by” the auditor. The eight RRO’s as well as NERC and FERC have hired on some very skilled cyber security auditors that know what to look for and also where to look. These auditors are very good and the only way to “beat them” is to have a great CIP compliance program in place.
You may ask, “how long does it take to get compliant…and for how much”. This is not an easy question to answer as there are numerous variables that determine the answers to these questions. A few variables are…what is your current state of readiness; have you leveraged from other compliance effort areas such as Sarbanes-Oxley, HIPPA and PCI; have you tested your current state of readiness against a mock audit? There are dozens of factors that must be considered before you can even guess at the timeframe and associated costs. One thing is for sure though…it will cost you a lot less money to get compliant than it will for you to “keep your head in the sand”.
James Holler is founder of Abidance Consulting.