Interested in linking to "Becoming NERC CIP-Compliant"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
Following is a high-level view of these phases and some typical tasks in each:
Phase 1: Critical asset and cyber asset identification
Phase 2: Gap Analysis
Phase 3: Implement recommendations to close gaps
Phase 4: Auditable compliance
The resources required for a CIP compliance project and ongoing compliance will be determined by the size of a company. In general, the equivalent of three to ten full-time employees are required to complete a compliance project and one to four to ensure ongoing compliance.
From a documentation point of view, for a single entity, the requirements for policies, procedures and forms typically include about 140 policy statements in fourteen policy documents, 20 to 30 procedures and 50 to 60 forms.
From a software tool point of view, compliance typically requires software for document management, change control, configuration discovery and management, log file consolidation and analysis, anti-virus, intrusion detection, network access control and end-point (workstation) device control.
Also, to be “auditably compliant,” an entity must collect one calendar year’s worth of documentation. This means that if compliance with CIP is required by June of 2010, then the collection of documentation (essentially being compliant without the collected documents) must start on Jan 1, 2009.
Any new regulatory requirement poses risks, and the implementation of NERC reliability standards compliance is no exception. Entities that act early and proactively to become compliant will benefit in several ways. They will establish a positive relationship with NERC auditors and rule-setting committees that will enhance their influence in setting further reliability compliance standards. Shareholders and investors are likely to view compliant entities with more confidence. Finally, compliance minimizes the possibility of financial penalties as well as other financial, legal and personal risks that can damage an entity’s reputation.
Jay Abshier, CISSP, is a senior principal consultant with KEMA Inc.
Penalties for non-compliance use the standard FERC and NERC penalty matrix, with fines ranging from $1,000 to $1,000,000.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.