CIP Training Management Programs Impacted by NERC Requirements
Cyber Security Qualifications Bolstered
NERC has always had high expectations when it comes to a utility protecting its physical infrastructure but as technology continues to play a more and more important role in our lives, agencies like NERC and the FDA recognize that cybersecurity is an equally important consideration. That’s part of the reason NERC bolstered a number of qualifications in 2016, including setting a July 1, 2016 enforcement date on parts of its personnel and training requirements for utilities (CIP-004-6).
Training Management Emphasized In New NERC Regulatory Reality
While some of these requirements have not changed significantly since 2012, regulatory scrutiny and expectations appear to be on the verge of an upswing. That new stringency means the time is truly now to assess personnel training programs and implement a strong training management program that includes a strong document management component with proactive record-keeping to let the utility know that its employees have viewed and otherwise demonstrated familiarity with new training tools and regulations.
For obvious reasons, training management is a significant and important piece of a utility’s compliance management program. Since AssurX’s tools can be integrated with a whole suite of related pieces, training courses can be tied to the applicable NERC requirement to monitor compliance, issue notifications, and escalations on upcoming training requirements or training that has not been completed by an employee on time.
NERC CIP Awareness
For example, NERC’s CIP Awareness (CIP-004-6) mandates that utilities remind employees of their security requirements quarterly. Utilities must have a training management tool that alerts them to deadlines and, perhaps more importantly, allows them to track whether employees have viewed the reminders. CIP Training must occur every fifteen months (CIP-004-6). Again, utilities expose themselves to regulatory and service interruption risks if they fail to meet these deadlines.
Our compliance management webinar details best practices for automating #NERC and #cyber security compliance. http://ow.ly/hvYS307tSyY
— AssurXEnergy (@AssurXEnergy) December 16, 2016
Training Employees to Manage Visitors
NERC also makes clear that it is up to the utility to train its personnel regarding how to handle visitors such as vendors. To be safe, it is advisable to have in place a policy that requires visitors to be escorted at all times while on the premises. Being escorted means visitors remain in the sight of their designated chaperone at all times during the visit. In addition, they must be identified with a visitor badge that is easy to read. They must be carefully logged in when they enter and leave the premises.
Obviously these are important policies to follow. However, it is equally important to be able to demonstrate to NERC that a policy has actually been implemented and engaged employees in a direct – and trackable – manner.
NERC Compliance Creates New Efficiencies
In addition to all-important regulatory compliance, many regulated utilities may find the programs create new efficiencies that speed operations. Time is money, so that’s a key consideration. Integrated training management and document management tools like those offered by AssurX streamline activities, close up gaps, and leave less room for human error. Automating notifications, reminders, and alerts saves considerable time. Dashboards provide configurable summary information on overall compliance with training requirements. Easy access to historical records delivers the ability to monitor the effectiveness of a training management program over time.
There are some common themes that run throughout these and other NERC personnel training requirements, not the least of which is their importance and seriousness. Utilities must be certain their training management plans are up to the challenge and that they have a relatively simple and iron-clad way to determine that the training management program is being implemented with the right employees receiving the right training at the right time.
In upcoming blogs, we’ll dig deeper into important issues including Access Control and Document Control.