Compliance Program Growing Pains

Wednesday, July 18, 2012 @ 06:07 PM gHale

By Nicholas Sheble
“Being CIP compliant doesn’t mean you’re secure but good security will lead to compliance,” said Jacob Kitchel, Industrial Defender’s NERC expert Wednesday.

NERC and CIP are the North American Electric Reliability Corporation and Critical Infrastructure Protection. Version 4 (v4) of the mandate is out and will take effect in April 2014. Electric utilities now and continually adapt and embrace the standards for the good of all and to avoid fines as large as $1 million a day.

Industrial Defender in Disaster Recovery Pact
Security a Weak Link for States
Security First; Not in Smart Grid
Smart Meters Getting Smarter

CIP v4 is the new and improved version of CIP v3. “The standards are fundamentally the same but audit and enforcement has changed as well as the clarification and expansion of ‘critical asset’ criteria,” said Steve Parker, former CIP auditor and VP of Technology Research and Projects at EnergySec.

CIP v4 Reliability Standards include “bright line” criteria for the identification of critical assets and as such, replaces the risk-based assessment methodology developed and applied under the CIP v3 Reliability Standards.

The “bright line” criteria are very specific and allow for less interpretation as to whether an asset is critical or not. The “bright line” criteria also mandate that the different critical cyber assets be identified as “high impact” and “medium impact” and “low impact” on the “bulk electric system.”

Apparently and according to the standard’s wording the new “bright line” criteria further obligates the utility to implement the new changes with “high impact” systems being implemented faster than “medium impact” assets. As well, v4 includes other conforming modifications to the remaining CIP Reliability Standards.

There is an entire industry that helps utilities become secure, compliant, and immune to the many forces and outside interference to the orderly dispense of electricity. Kitchel and Parker presented during the Industrial Defender webcast “Auditor’s and Expert’s Talk; A Blueprint for NERC CIP Compliance” Wednesday.

Both experts said what utility security experts need to do to assure compliance is:
• Get executive-level buy-in.
• Be secure first, compliance will follow. Beware of merely trying to be “compliant.”
• Build bridges between your organization’s information technology (IT) structure and its operations technology (OT) people.
• Log EVERYTHING – and do it using automation not spreadsheets.
• Communicate – you are not alone. Use EnergySec.

EnergySec is a community of information security, physical security, audit, disaster recovery, and business continuity professionals from energy industry utilities. There are members from all over the world. It operates programs, events, and technology solutions designed to help improve the security posture of the energy sector.

In addition, they encourage using the National Electric Sector Cybersecurity Organization (NESCO), a public-private partnership that serves as a focal point bringing together utilities, federal agencies, regulators, researchers, and academics.

NESCO works to identify and support efforts to enhance cyber security of the electric infrastructure and gets partial funding from the U.S. Department of Energy.

This webcast will be available on the Industrial Defender website.
The webcast covers:
• Major changes from CIP v3 to CIP v4
• What to expect in V5, and who it will affect
• Foundations of a sustainable compliance program and strategies for implementation
• Recurring major violations and how to avoid them

Nicholas Sheble ( is an engineering writer and technical editor in Raleigh, NC.

Leave a Reply

You must be logged in to post a comment.