Conducting a cybersecurity training management program gap analysis is critical for regulated utilities to ensure NERC compliance in 2017 and beyond.
Cyber Security Qualifications Bolstered
NERC has always had high expectations regarding a utility protecting its physical infrastructure. Still, as technology plays a more critical role in our lives, agencies like NERC and the FDA recognize that cybersecurity is an equally important consideration. That’s part of why NERC bolstered several qualifications in 2016, including setting a July 1, 2016 enforcement date on parts of its personnel and training requirements for utilities (CIP-004-6).
Training Management Emphasized In New NERC Regulatory Reality
Some of these requirements have not changed significantly since 2012; regulatory scrutiny and expectations appear to be on the verge of an upswing. That new stringency means the time is genuinely now to assess personnel training programs and implement a strong training management program that includes a robust document management component with proactive record-keeping to let the utility know that its employees have viewed and otherwise demonstrated familiarity with new training tools and regulations.
For obvious reasons, training management is a significant and essential piece of a utility’s compliance management program. Since entities can integrate AssurX’s tools with a whole suite of related pieces, training courses can be tied to the applicable NERC requirement to monitor compliance, issue notifications, and escalations on upcoming training requirements or training not been completed by an employee on time.
NERC CIP Awareness
For example, NERC’s CIP Awareness (CIP-004-6) mandates that utilities remind employees of their security requirements quarterly. Utilities must have a training management tool that alerts them to deadlines and, perhaps more importantly, allows them to track whether employees have viewed the reminders. CIP Training must occur every fifteen months (CIP-004-6). Again, utilities expose themselves to regulatory and service interruption risks if they fail to meet these deadlines.
Our compliance management webinar details best practices for automating #NERC and #cyber security compliance. http://ow.ly/hvYS307tSyY
— AssurXEnergy (@AssurXEnergy) December 16, 2016
Training Employees to Manage Visitors
NERC clarifies that it is on the utility to train its personnel regarding how to handle visitors such as vendors. It is advisable to have a policy that requires visitors to be escorted at all times while on the premises. Being escorted means visitors remain in the sight of their designated chaperone at all times during the visit. Also, they must be identified with a visitor badge that is easy to read. They must be carefully logged in when they enter and leave the premises.
However, these are important policies to follow. However, it is equally essential to demonstrate to NERC that a policy has been implemented and engaged employees directly – and trackable – manner.
NERC Compliance Creates New Efficiencies
In addition to all-important regulatory compliance, many regulated utilities may find the programs create new efficiencies that speed operations. Time is money, so that’s a key consideration. Integrated training management and document management tools like those offered by AssurX streamline activities, close up gaps, and leave less room for human error. Automating notifications, reminders, and alerts saves considerable time. Dashboards provide configurable summary information on overall compliance with training requirements. Easy access to historical records delivers the ability to monitor a training management program’s effectiveness over time.
Some common themes come up, and other NERC personnel training requirements, not the least of their importance and seriousness. Utilities must be sure their training management plans are up to the challenge and that they have a relatively iron-clad and straightforward way to determine that the training management program is being implemented with the right employees receiving the right training at the right time.
In upcoming blogs, we’ll dig deeper into critical issues, including Access Control and Document Control.