Interested in linking to "Becoming NERC CIP-Compliant"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
By Jay Abshier
A sea change is sweeping through the North American bulk electricity system in the wake of the U.S. Energy Policy Act of 2005 (EPAct). Previously voluntary reliability programs under the aegis of the North American Electric Reliability Council (NERC) are transitioning to mandatory standards under the Federal Energy Regulatory Commission (FERC), with substantial financial penalties for noncompliance.
The enforcement timeline for the CIP Standards commenced on January 1, 2007, with auditable compliance being required in 2010. The exact dates depend on the functional entity(ies) for which the utility is registered (transmission operator, generation operator, etc.).
Penalties for noncompliance use the standard Federal Energy Regulatory Commission (FERC) and North American Reliability Council (NERC) penalty matrix, with fines ranging from $1,000 to $1,000,000.
In July 2007, the FERC staff recommended to its Board that the CIP standards and implementation schedule be approved. FERC has also recommended that NERC revisit the CIP standard and has recommended specific areas that need modification. Observers think if the CIP standard is modified, new implementation schedules will also be adopted for conformance to any approved changes.
Reliability standards had their genesis following the major North American power outage in November 1965, with the implementation of voluntary operating policies and planning standards. These were designed to ensure the reliability of the bulk power system in the U.S. and Canada. Subsequent outage events, such as the summer 1996 Western grid blackouts and the August 2003 Northeast blackout, led to further emphasis on these standards.
As a result of EPAct, FERC certified NERC in 2006 as the Electric Reliability Organization (ERO) with full oversight for enforcing reliability standards compliance. An additional result of EPAct is that FERC now has full authority to approve all reliability standards. To date, NERC has submitted 107 standards to FERC for approval; 83 have been approved, while 24 are awaiting approval pending further refinement. Many of the approved standards received conditional approval and will require updating—a process that may require up to two, and in some cases, three years to complete. Furthermore, FERC has identified issues with CIP (Critical Infrastructure Protection) 002-009 and has solicited comments. This article will focus on CIP 002-009, the standards for cyber security.
Any entity that owns, operates or uses any portion of the bulk power system must comply with these new mandatory reliability standards. The compliance process itself involves periodic, formal NERC audits by the Regional Reliability Councils. The process also involves active self-certification, periodic reporting of compliance data and statistics and self-reporting of any noncompliance with NERC policies, procedures or standards.
Briefly, NERC CIP 002-009 covers the following topics:
A Typical CIP Compliance Project
NERC CIP compliance should be undertaken in a four- phase approach. CIP 002, with the leadership portion of CIP 003, should be undertaken and completed first to determine the number and type of critical assets and critical cyber assets. Once this is finalized, Phase 2 establishes the electronic and physical security perimeter(s) and conducts a gap analysis between the client’s current state and that required for compliance. Phase 3 implements the policies, procedures, documentation and, if required, infrastructure upgrades that allow the client to achieve compliance. Compliance mechanisms—basically identifying the documents required for compliance and implementing mechanisms for capturing these documents—also must be put in place. Phase 4 is the collection of one calendar year’s worth of documentation identified by the compliance mechanisms to achieve “auditably compliant” status.
Crucial to the success of the project will be the availability of key client stakeholders and support staff to assist with this effort, and establishing an effective governance structure for both cyber security in general and CIP compliance.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.