Security and compliance are primarily accomplished through the use of controls.
In this context, controls are anything used to ensure that compliance regulations are followed and compliance can be successfully proven (like for audits).
The traditional focus of controls is commonly termed Internal Controls.
Internal Controls exist to ensure that compliance practices are followed. They can include producing RSAWs, reviewing documents, managing documents, scheduling maintenance and testing activities, granting (and revoking access rights), Change Management, and so on. These controls focus on ensuring that a consistent process followed for each of these activities, one that is repeatable and compliant. These controls typically consist of business practices and software applications or a combination of both.
However, Internal Controls are not prepared to keep you up to speed with the NERC standards. The push for Reliability is taking on a new set of expectations that Internal Controls are not geared to handle. The tip of the spear for these changes is the Reliability Assurance Initiative (RAI) and it is definitely a horse of a different color.
Prior to RAI, the litmus test of the compliance program (and hence, the Internal Controls) was its ability to successfully pass Audits. With RAI, the newly emerging expectation is that Electric Utility organizations will identify potential issues as they arise so that they can be assessed and corrected immediately.
This is where closed-loop controls come in.
Closed-loop controls first became popular in manufacturing, where someone figured out that providing a feedback loop into a control could enable it to become “smart.” What an improvement! Where traditional controls simply followed their instructions blindly, closed-loop controls are constantly fed information about their desired outcome so that they can intelligently adapt their control to achieve, and then maintain, that desired outcome.
For compliance, closed-loop controls offer the same benefits. Imagine how compliance changes when the compliance controls don’t just enforce a set of rules or perform a programmatic test but instead, they detect and identify issues and then prompt you to assess and correct them immediately. Self-monitoring, self-healing, self-correcting. That’s what RAI and closed-loop controls are all about, and that is what you need to know as you plan out your RAI strategy.
Do you want to learn more about SigmaFlow’s Closed-Loop Control Framework™ for NERC compliance?