Guest blog from Karl Perman, Director of Member Services for EnergySec
Look for more guest blogs from Karl in the future!
Electricity generators and transmission operators are busy preparing compliance management programs for Version 5 of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards. These standards represent many changes for entities that are currently maintaining compliance with Version 3 of the CIP Standards and for those that will now fall under the applicability of Version 5.
Changes include the replacement of Risk Based Assessment Methodologies with Bright Line Criteria, the retirement of Critical Assets and Critical Cyber Assets, the introduction of Cyber Assets, BES Cyber Assets and BES Cyber Systems, the introduction of a new table based structure and increased timelines for some requirements.
The majority of the requirements for NERC CIP Version 5 continue the tradition of performance based standards. Entities will be responsible to prove compliance through the production of evidence such as procedures, system logs, database records, scripts and testimony. I personally have experienced the late nights spent searching through cardboard boxes of documents, pouring through screens of Excel spreadsheets and interviewing subject matter experts in the search for access logs, database records and incident reports in order to provide evidence of compliance. Indeed, many of these hours were spent after a request from an internal or external auditor.
After three to four of these instances, I became determined to search out a better way to maintain evidence of compliance. The first action item was to get the required documents into a central repository – Microsoft Access and custom databases were first used and later SharePoint was leveraged.
Today, new technologies have emerged as the CIP Standards have matured. Automated solutions are now available to automate processes that have been traditionally manually performed. These processes include configuration change management, inventory tracking and the maintenance of evidence of compliance.
As entities become familiar with the new terms, approaches and timelines introduced by NERC CIP Version 5, an evaluation of the use of automated solutions as a part of an entity’s compliance management program is warranted.
Read SigmaFlow’s recent press release:
SigmaFlow Announces Enhancements to its Compliance Manager Solution to Support NERC CIP v5 Standards
Watch the video recording of the recent EnergySec & SigmaFlow Partnered Webinar: