Preparing for and implementing the next set of North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standards doesn’t have to create the anxiety that NERC CIP version five (v5) did for many companies. Bulk electric utilities can stay ahead of the curve by maintaining CIP programs that actively work to participate in the standards development process, study and measure the implementation impact of draft versions of standards, triage them and prepare plans to implement them, even before they are fully approved.
Few organizations were ready for the massive paradigm shifts that NERC CIP v3 and v5 represented. For them, complying represented a massive undertaking that required them to mobilize large, expensive programs.
Now that we have the benefit of hindsight, it doesn’t have to be that way in the future.
A continuous evolution
Companies can instead operate a proactive NERC CIP compliance program that can actually save money in the long run, versus taking a reactive position when NERC publishes a new set of standards.
As we know, maintaining standards compliance and grid security doesn’t stop. For this reason, it’s critical to stay ahead of the curve. This can mean helping to shape regulators’ views and staying aware of the content of draft versions of standards as they become available. This lessens the impact large regulatory changes otherwise have on an organization.
Most large corporations, including bulk electric utilities, have continuous improvement programs in place that look for ways to optimize various parts of their operations. Critical infrastructure protection is no different. Including CIP in continuous improvement programs would not only help utilities prepare for new requirements, it can also evolve into a program that delivers truly leading security capabilities.
Compliance doesn’t equal security
This is important, because although the NERC CIP standards provide a means of implementing a minimum baseline of critical infrastructure cybersecurity controls, compliance does not equal security. For example, NERC CIP v5 requires that an employee’s access be revoked within 24 hours of termination. Utilities could be ahead of the game by determining whether immediate access revocation, which provides greater security, is economically feasible.
The key to success in CIP programs is to stay ahead of the curve. By doing this, you can avoid unexpected costs, understand potential impacts and begin planning far enough in advance to get the right teams and skills in place to deliver the necessary changes—without falling into the trap of reacting late and delivering controls and processes that are not sustainable in the long term. We believe sustainability is key. This means repeatable and automated processes that allow for minimal human intervention and ease of evidence collection and auditability. There is an up-front cost, but also there is a long-term tail of savings that starts to pay off immediately and increasingly as new standards come online.
Learn more in our new white paper, “KEEPING THE LIGHTS ON: Sustainable NERC CIP compliance.”