NERC CIP Violations are a Lesson in Management and Modernization

The recent Notice of Penalty and Enforcement Action of $10M to a Registered Entity (RE) for 127 NERC CIP violations demonstrates that the cost of non-compliance far exceeds the cost of implementing and managing a strong compliance program that includes NERC CIP focus.

The regulatory landscape for energy and utility compliance continues to become more difficult to navigate. FERC and the Electric Reliability Organization (ERO) continue to ramp up their regulation enforcement and scrutiny. Developing a program to address reliability standards requires a two-pronged approach that consists of; (1) a multi-level, multi-departmental approach to compliance from the top down, and (2) a sustainable compliance program built on a single platform architecture.

Missing the Big CIP Picture

Playing roulette with cyber asset security in the energy & utilities sector is a dangerous game. A KPMG 2018 outlook study found that only slightly less than half of power and utility CEOs think a cyber-attack is inevitable. That confidence is not shared with security and compliance experts. In fact, NERC noted “organizational silos” and poor communication between management levels for “lack of awareness of the state of security and compliance,” among other issues in the recent penalty.

Not surprisingly, in the same KPMG report, 68% of CEOs reported they feel prepared to manage external stakeholders and 63% feel confident that they can contain any impact on strategic operation in the event of a breach. Most experts are much less confident.

Today’s converging IT, OT, IoT and AI environments often rely on shared server architectures to help with performance and monitoring. These ever-increasing number of access points are chum to the circling sharks that are working hard to control and disable the BPS. Identifying, securing, and managing all these assets is a challenge, but not an option and by no means impossible.

To be realistic no infrastructure is impenetrable. However, designing an effective program can be and has been done. It requires an enterprise-wide approach with the support of senior management and visibility into the true state of any cyber exposure. Without both, the real state of compliance is difficult to envision and impossible to authenticate.

Management: Taking a Top-Down Approach to Compliance

A compliance system works when it becomes an embedded part of company culture. Therefore, it is incumbent upon CxOs and management to set the tone for the compliance vision. Registered Entities that achieve compliance are those that communicate a dedication to safety and continual improvement as key corporate values instead of just another set of rules and a budgetary line item.

The ERO assesses management support during a compliance review as clearly noted in the recent Notice of Penalty. Therefore, management should ensure that periodic self-assessments and supplier assessments are performed and reviewed with results communicated to everyone in the organization who needs to answer to it.

Electric utility owners, executives, operators, and engineers need visibility into all IT and Industrial Control System (ICS) assets, their state of security, and what is being done to manage risk. The solution for transparency across the RE is an enterprise-wide system designed to support quality, safety, cybersecurity, and compliance activities.

Modernization: The Case for a Centralized CIP and Compliance Management System

A NERC CIP compliance software platform eliminates information silos and lapses in crucial tasks. Configurable workflows provide a clear course of action and critical checkpoints. Automation drives remedial measures which may otherwise fall between the cracks. Reporting provides oversight into what is working, what isn’t working, and what is at risk.

A centralized system can display key business and compliance metrics for the at-a-glance status of the state of cybersecurity and potential gaps in compliance. These metrics are valuable for all levels of the RE for full compliance oversight. Most importantly, senior management needs to do little other than click a button for the critical information that they may need to take action on.

A system that meets NERC CIP requirements adapts to changes in the organization and compliance requirements. These include the ability to perform:

• Cyber asset inventory and configuration monitoring
• Access control for all physical, electronic, and other critical assets
• Vulnerability assessments
• Incident reporting and response planning
• Remediation plans and reporting
• Controls on changes and/or revisions
• Recurring training needs and reviews
• Document control access
• Automation of requests, reviews, evaluation, and approvals
• SME reviews
• Tracking, trending, escalation, and reporting for every level of the RE

Conclusion

It can be costly for REs to continue to operate in silos with ineffective systems to correct compliance issues. Furthermore, it can be damaging to corporate reputation when an assessment of non-compliance is considered to be a failure of senior management. In summary, utilities that address NERC CIP compliance with the support and oversight of management with an automated compliance platform are far more likely to achieve operational excellence that includes reduced costs, reduced downtime, and reduced risks of heavy fines.