Interpretational Guidance on NERC's COM-001 Standard
During World War II the allies had some major challenges. Among the strangest was that the use of English by the Americans and British had many things in common, but also had many things different. As a result, there were problems in coordination, logistics and security.
Fast forward to 2006 and remember the creation of the CIP 002-009 Standards by NERC with approval from FERC. There were, and are, many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand.
What does CIP-002 thru CIP-009 have to do with COM-001 you might ask? Plenty…the rule in the IT world is that you have an islanded or closed network (LAN) if you cannot use telecommunication hubs (like commercial carriers or satellite) to connect multiple sister nodes (other LANs) to create what is referred to in the network world as a WAN (Wide Area Network).
Let’s take a look at the Standard and see if we can make sense of it.
Let’s look first at the purpose statement COM-001. It says: “Each Reliability Coordinator, Transmission Operator and Balancing Authority needs adequate and reliable telecommunications facilities internally and with others for the exchange of Interconnection and operating information necessary to maintain reliability”
Notice two things, “reliable telecommunications facilities internally” & “with others for the exchange of Interconnection and operating information.”
This implies that the following requirements must meet these needs to be considered “compliant.” So, let’s look a little more deeply into the requirements.
COM-001 Requirement 1 and Requirement 1.4 states:
R1 Each Reliability Coordinator, Transmission Operator and Balancing Authority shall provide adequate and reliable telecommunications facilities the exchange of Interconnection and operating information:
R1.4 Where applicable, these facilities shall be redundant and diversely routed.
On the surface these requirements appear to be straightforward, but after a number of audits by FERC and NERC staff, it is anything but.
Both of these requirements would better be defined as simply nebulous. What defines “adequate”? “Where applicable”? Who decides what is adequate and where applicable…NERC, FERC or the Registered Entity that is being audited?
The auditor is the sole determining factor in compliance or noncompliance with these requirements. If they get it wrong, as many of them do, then you don’t have a compliant facility from a reliability perspective.
What R1, when tied to R1.4, says as it relates to the purpose is that if you only have one communications trunk entering your network and then have it multiplexed out to your Primary Control Center (PCC) and your Backup Control Center (BCC), you are not in compliance.
Another problem is that of the definition of what constitutes a telecommunications facility. It means different things to a telephone company technician and to an IT technician.
FERC and NERC define these to be BOTH data and voice traffic. You cannot simply have two phone lines and expect to be compliant if you are also doing data traffic from the PCC and BCC as part of your operations. You will fail the audit on this alone and fines are more than a possibility, they are virtually guaranteed.
James Holler is founder of Abidance Consulting.