As I mentioned in the introductory blog last week, I’m going to be sharing some tips from around the web to help you prepare for CIP V5 and to improve your compliance practices as we count down to April 2016. So without further ado, let’s get started!
Our partner, Tripwire, published a great article last month by guest author Nick Santora, CEO of Curricula, entitled NERC CIP Audits: Top 10 Common Mistakes. In the article, Santora notes that some utilities fail to perform mock audits prior to undergoing a formal one.
Tip#1: Perform Mock Audits
At its core, NERC CIP compliance is about ensuring the security of our critical infrastructure, but for practical purposes, the goal of regulatory compliance within an organization is to be prepared to demonstrate that compliance in the event of an audit. I highly recommend reading Santora’s article for more information on avoiding common NERC CIP audit mistakes, but for the purposes of this article, I’ll be focusing on mock audits.
It’s not a matter of if you’re going to be audited; it’s a matter of when. A mock audit is one of the best tools available to prepare you for that eventuality. But you don’t have to take my word for it. This is what SigmaFlow’s VP of NERC Solutions Terry Schurter had to say:
It’s a very good point. For utilities that have not undergone an audit, the only way to prepare for that experience, and to validate that proper evidence that satisfies the CIP Version 5 Requirements is in place, is a mock audit run by experienced NERC CIP professionals.
Any utility organization that has not gone through an audit will learn a tremendous amount going through that first one. In that audit you will find out exactly what gaps exist. Now, if we think about that for just a moment it becomes clear that we have a choice. We can just do what we think we should and learn about those gaps from the formal auditors or we engage in one or more mock audits with qualified professionals to find out what gaps exist before going through a formal audit.
I think it’s a no-brainer. Under no circumstances would an electric utility ever want to be in the place where they learn about gaps in their compliance practices during a formal audit. Going this route is likely to lead to formal mitigation plans that need to be created and implemented. It could result in compliance non-conformance and possible punitive damages. That is a lot of work, stress and risk that in most cases can be avoided.
Furthermore, any gaps a mock audit exposes aren’t shared outside of the utility. Those gaps need to be addressed of course, but they don’t require formal mitigation plans and they don’t require reporting to NERC. Mock audits prepare utility staff for the audit experience while giving them the opportunity to identify compliance gaps and solve them prior to ever going into that formal audit.
In conclusion, even if you think you’ve got all your ducks in a row in regard to NERC CIP compliance, there may still be gaps in your practices that won’t be evident until an audit is performed. Assume that you will be audited, and prepare for that eventuality to the best of your abilities.
Thanks for reading! I post a new tip every Friday here on the SigmaFlow Blog, so be sure to check back or follow SigmaFlow on Twitter, Facebook, or LinkedIn if you want to stay up-to-date on the latest articles.
Read the next article in this series: Countdown to CIP V5 Compliance: Focus on the Requirements