If you’re in the electrical utility sector and you’re listening to NERC audit you ‘re likely to begin sweating. Not because you may not have a compliance plan for NERC, but because of the simple fact that there isn’t really any good information that exists that tells you all you need to do and exactly how to do it. There are NERC, FERC and even SERC as you know. How can you hold all of them clear together with the litany of other compliance concerns that you have to address? One of my greatest bits of advice is breaking down the different NERC criteria into useful pieces.You can learn more at nerc cip compliance software
Build a NERC Program to Comply
Let both criteria down and sectionalize them first. NERC did a good job by trying to classify these into classes. Cyber Protection for example has guidelines ranging from CIP 001-009. However, if you break apart all the different issues that go into just those standards, you will undoubtedly have on your plate a million different items for action. My specialty and focus was on CIP 4, because that’s where I listened to a lot of screaming clients, who were frustrated with the auditing process. The fines produced by such audits will cost up to $7,500 per individual per day. I was at the TechAdvantage Expo in Atlanta recently, and spoke with many industry executives who said they had to pay fines of several hundred thousand dollars and more for failing to meet CIP 4.
The best thing to do is break the standards apart and review each in detail, and then parse them to your various department heads, who can be made responsible for implementing them. As the NERC compliance plan manager, you’ll need to get your senior management buy-in to dictate to your peers that they will need to report their findings to you. You will need to coordinate their efforts and then tell your senior management that you want to provide them with bi-weekly or at least monthly updates of the plan. By doing so, it would help retain them informed and continue to give you the tools you need to formulate a enforcement strategy for NERC.
Let’s just take the Cyber Security standards as an example. The very name will be a little dishonest, because that would mean that this level would go to the That department. They are the ones that need to implement all kinds of cool techno stuff that will provide you with tools to protect against cyber intrusion, right? Needless to say. Take CIP 004 for starters. This explicitly indicates that you ought to provide a program in effect for all of the staff and consultants to conduct sensitivity training, criminal risk evaluations and access verification and qualifications. Now you should glance at this and then understand that this is more a defense service or HR issue than a technological problem.
Secondly, remember this one true statement when you’re looking for vendors to help you analyze all of the different options. No single company has a system for managing all issues concerning NERC compliance plan. I’ve seen that countless times before businesses announce they will render you compliant with NERC by merely recruiting them. That’s a joke. There are several consultancy companies out there who are really professional and can definitely help you understand and build a enforcement strategy for NERC, but they can’t enforce the processes and technologies to render you compliant. I am going back to the CIP 4 Cyber Security standard where vendors claim to be able to comply within a certain time frame. One of the most important issues as part of that standard is performing a background risk assessment check on anyone who has access to critical assets. You will need to be a certified CRA (Credit Reporting Agency) to do a background check. Yet also to this level, performing stuff that might require certain parts of the pattern, such as managing encryption and password security of certain properties that might not be the best match for the same business.
Note that a goal-driven function is to develop a NERC implementation program. Review the different facets of NERC that relate and collaborate with the top management to make that a priority for you and the colleagues, be you or a consultancy company.