In my most recent tenure at an electric utility in the western part of the United States, I had the pleasure of being audited a handful of times.
During the most recent audit cycle, both of our utility subsidiaries were audited by two different regional entities within only a few months. Let’s just say it was a rough quarter for everyone involved!
Preparing adequately for the mountain of evidence, interviews and site tours had a significant impact on the successful outcome of the audits.
Here are five tips that hopefully you can benefit from as you prepare for your next audit.
1. Put a lot of effort into your Reliability Standard Audit Worksheets (RSAWs)
It’s not possible to prepare adequately in the months leading up to your audit, and some may argue that it also is not possible to prepare adequately even in the quarters or years leading up to it, either. Because the whole audit period is in scope, evidence could be requested for the whole three-year span.
In my opinion, the best way to ensure ongoing compliance is to ensure that RSAWs are completed thoroughly and reviewed for accuracy by independent parties.
The benefits are two-fold.
First off, you can identify shortcomings in your evidence or program and any potential non-compliance early, which can result in reduced fines or even Find Fix Track and Report (FFT).
Second, the evidence and narratives generated for your RSAWS can be used extensively in Pre-Audit Data Requests (see Tip #2), thereby significantly reducing the amount of work to respond to them.
Keeping up with RSAWs can be a burden, but if Subject Matter Experts (SMEs) keep them updated after every action, it’s a whole lot easier than trying to complete one from scratch at the end of the year.
2. Don’t Skimp on Pre Audit Data Requests
If you haven’t been through a v5 audit yet, you’ll be excited to know that the dreaded “Attachment G” has been replaced by three distinct levels of requests. While it is vastly improved, I will still unaffectionately refer to it as the “Data Bomb.”
Lucky for you, if you’ve taken heed and followed Tip #1 above, completing Level 1 of the Pre-Audit Data Request (typically received 90 days prior to audit) should for the most part be a copy and paste exercise.
Use this opportunity to shore up any shortcomings and stack your evidence. Our audit team found it especially helpful to have accurate yet concise explanations for each piece of evidence submitted.
If you plan on submitting a 16-page PDF containing Group Policy settings for your domain to satisfy the CIP-007 requirement to enforce password complexity, length, and aging, do them a favor by pointing out the page number, section, and setting name for each.
Once you’ve finished Level 1, move to Level 2 to get ahead of the game.
3. Mock Interviews
Audit interviews play a significant role in the outcome of your audit.
They are typically used as an opportunity for auditors to clarify any evidence that was submitted, test SME knowledge, and even get a look at the actual environment in question. (We had to demonstrate our Interactive Remote Access, for example.)
Being prepared for these interviews is critical to your success. By doing mock interviews, we discovered that while some of our SMEs excel at their day job, being interviewed isn’t necessarily their strong suit.
This gave us the opportunity to make informed decisions on who to put in front of the panel and who should take a back seat.
4. Leading Answers
During interviews, being prepared to answer open-ended questions is imperative.
Being careful to not stray from the topic can be difficult, but it is equally important to answering the question succinctly. While I don’t believe it is in the regional entity’s interest to ask leading questions to discover potential noncompliance, (Remember, they are trying to find compliance first and foremost.) there’s no reason to not help them find compliance in your Bulk Electric System (BES.)
On occasion, we found it helpful (and sometimes fun) to leverage what I call a “Leading Answer.”
For example, we were asked to describe the methods and tools that we were using to gather the CIP-010-2 R1.1 baseline components. We of course obliged and described our solution that automated the whole process from beginning to end and took the liberty to also describe some really robust functionality that we developed to help satisfy CIP-010-1 R2.1 to ensure that our 35-day baseline monitoring functionality was operational.
We spent the remainder of the interview talking about all the moving parts. By steering our answer, we got to show off some of the great work we were doing and in so doing potentially avoided other questions on requirements that may have not been our strong suit.
5. Evidence Consistency
Now that v5 no longer has the ability to exclude Substations and Generation facilities based on their lack of routable connectivity, a lot of people and facilities that were never in scope for a NERC CIP audit are suffering a rude awakening.
These business units should not be left to their own devices to gather evidence and write procedures that have been in place in their associated control centers for years.
Leveraging existing tools and procedures that proved successful in v3 across the BES should be used to the extent possible in facilities now subject to v5. Presenting consistent evidence across Low, Medium and High impact control centers, plants, and substations adds efficiencies in all facets of audit preparation and the audit itself.
About the Author: Robert Landavazo is a Systems Engineer at Tripwire where he focuses on helping customers secure their Industrial Control Systems. He has a background in in the electric utility sector, most re