Is your company prepared to meet the NERC CIP version 5 Reliability standards?
The CIP version 5 standards represent a shift in the compliance landscape for electric utilities. The expansion of CIP coverage under the version 5 standards will significantly increase the scope of utility infrastructure under CIP in the Low impact rating category. The shift from “after-the-fact evidentiary reporting” to actively-managed controls that identify and implement corrective actions is also a notable change from past compliance expectations.
The net effect is that CIP version 5 will affect most, if not all, of the electric utilities in the country. This increases the importance of solutions that can help utility organizations already under CIP adapt to the changes in version 5, as well as assisting utilities not currently under CIP in version 3 in taking on their new responsibility for CIP Version 5 compliance.
SigmaFlow’s Compliance Manager Solution manages all aspects of CIP version 5, including the three main goals of the Reliability Assurance Initiative (RAI) from NERC – improved performance, management controls with corrective action, and reduced administrative burden. This solution simplifies CIP version 5 compliance and delivers a comprehensive and effective solution for those transitioning from version 3 to version 5 in addition to those addressing CIP for the first time under version 5.
I sat down with Terry Schurter, VP of NERC Solutions for SigmaFlow, to ask for his insight on the impact of CIP version 5 and how the SigmaFlow Compliance Manager helps address the new challenge.
Q. How will CIP version 5 affect utilities?
A. The most important impact of CIP version 5 is the fact that most of the utilities and systems that had little CIP responsibility (no Critical Assets) under version 3 will now fall into the CIP version 5 Low Impact Rating. Utility companies will need to extend some of the most important CIP controls to all these Low Impact systems where they are not in use today.
Q. Does this have an impact for utilities already under CIP in version 3?
A. Yes it does. Version 5 is a significant regulatory change in multiple ways. One big part is the emphasis on moving away from after-the-fact evidentiary reporting to an ongoing state of validation, assessment, and correction. Add to that the additional systems that will be brought under the CIP umbrella with version 5 (in particular the Lows) and it means there is a lot to do, even for those organizations already used to having Critical Assets under version 3.
Q. Are there unique challenges facing the utilities that will be under CIP requirements for the first time?
A. Most certainly. Even as a Low Rating, utilities need to have the complete skeleton of a robust cyber security practice put in place. This includes multiple policies, procedures, reporting, data management, and document management. If you don’t have the knowledge and tools needed to solve this challenge, things can go off the track in a big hurry, and unfortunately, there are a lot more ineffective approaches to establishing your first real CIP compliance program than there are effective ones!
Q. So what role should SigmaFlow Compliance Manager play in respect to these challenges?
A. That is a very important question and there are a lot of variations to it. For example, if you are just now heading into your first real CIP experience under version 5, then the capabilities of their Compliance Manager can address a substantial part of your needs “out of the box.” It will also eliminate the need to go through the “learn by audit” experiences your counterparts under version 3 have already battled through. Leveraging those lessons learned is a huge benefit. If you are already under CIP version 3 then Compliance Manager will give you the capability to easily manage version 3 and version 5 in one solution, along with the scaling capability to handle any likely increase in systems under CIP (mostly Low Impact again).
In addition, Compliance Manager is specifically designed to handle the controls-based compliance approach outlined in CIP version 5. So no matter whether you are dealing with version 3 now and preparing for version 5 or coming under CIP in version 5 for the first time, the SigmaFlow Compliance Manager solution is specifically designed to help you meet the new expectations in CIP 5 with the least amount of up front time and ongoing effort.
Did you miss our other blog articles about CIP version 5?