Understanding, experience and technology for success
In 1968, the North American Electric Reliability Corporation (NERC) was formed as the National Electric Reliability Council to prepare guidelines and practices for power system operations and coordination. Four decades later, prompted by incidents such as the Northeast Blackout in 2003, NERC’s policies were made mandatory and enforceable across the United States.
In 2006, the Federal Energy Regulatory Commission (FERC) appointed NERC as the Electric Reliability Organization (ERO) for the United States. Since that time, NERC has been responsible for maintaining the reliability of the North American Bulk Electric System (BES) by developing and enforcing reliability standards, monitoring the BES, assessing its adequacy, and educating industry personnel.
Today, NERC’s Standards are mandatory throughout the United States and several Canadian provinces. Compliance is enforced through a rigorous program of audits, investigations, and reporting activities. Entities found to be in violation of a Standard can be fined up to $1 million per day per violation.
Broadly classified under NERC 693 and NERC CIP, the NERC Standards consist of fourteen Reliability Standards, each of which contains specific requirements. These standards define requirements for planning and operating the bulk power system, and are developed through collaboration between the NERC staff and representatives from several electric industry sectors.
|NERC Reliability Standards:
Corporate Risk Solutions, Inc. (CRSI) is the premier electric utility security consulting firm, providing a full suite of services to energy companies and government entities since 2001. CRSI has provided consulting services to hundreds of electric utilities across all eight NERC regions in North America and globally.
CRSI has an unequalled level of knowledge, understanding, and experience with the NERC Critical Infrastructure Protection (CIP) Standards, dating back to the failed Standard Market Design and the UA-1200 Standards through to the current NERC Reliability Standards (both 693 and 706). In recognition of their skills, knowledge, and capabilities, CRSI has been contracted by multiple Regional Entities to conduct NERC CIP Audits, CIP-002 Reviews, Mitigation Plan Reviews, and Technical Feasibility Exception (TFE) Reviews.
MetricStream is a market leader in Enterprise-wide Governance, Risk, and Compliance (GRC) and Quality Solutions for global corporations. MetricStream enterprise solutions are used by leading corporations in diverse industries to manage risk, quality processes, corporate policies, regulatory and industry-mandated compliance and corporate governance initiatives.
CRSI and MetricStream have formed a strategic partnership, bringing CRSI’s energy sector expertise to the MetricStream GRC solution suite. The partnership provides the power of MetricStream GRC solutions, customized specifically for compliance efforts within the NERC Standards.
Complexity and High Costs of Compliance
The NERC Reliability Standards include 94 mandatory sub-standards and over 1,000 individual requirements. In addition, many of these requirements are constantly changing, and new recommendations are often introduced. This complexity makes efforts towards compliance extremely difficult.
For example, as companies prepare for the transition to the NERC CIP version 5 Standard, they must constantly keep themselves updated on the changes introduced in this new version. Certainly, adopting NERC CIP version 5 implies the redesign and alteration of existing policies and procedures documentation to capture important new requirements and enforce same across the organization. Undoubtedly, this is a laborious and resource-intensive process.
Problems with Manual Processes
Many organizations rely on manual compliance tracking processes to record audit control assessments, prepare reports, and implement performance measures. Maintaining diverse manual processes complicates compliance preparation, and trying to update multiple spreadsheets, databases, e-mail chains, and content management sites will create an unnecessary burden on manpower and increase costs which will ultimately increase the potential for errors.
Duplication of Compliance Activities
Many companies manage their compliance tasks and control assessments in functional or organizational silos. As a result, collaboration across the organization is limited, leading to inconsistencies in compliance data. Again, costs are increased while compliance status metrics are unclear or redundant.
Limited View of Compliance
A clear visibility into NERC compliance data is essential to track the progress of controls and define compliance strategies. Yet, most companies lack true visibility because they lack a unified reporting system and, instead, rely on ad hoc manual processes. Consolidating reports at the enterprise level is a complex and time-consuming task, and viewing granular data can prove to be extremely difficult. One common erroneous oversight often experienced due to the absence of a holistic view of compliance requirements is that as the compliance activity is a periodic, one-time event as against a culture of continuous, organization-wide monitoring effort.
To ensure NERC compliance, Responsible Entities have to manage volumes in relevant documentation. From documents accurately interpreting NERC Standards to Reliability Standards Audit Worksheets (RSAWs) to detailed internal policies and technical procedures, the amount of information that must be organized for relevance and applicability across the varying assets under scrutiny makes the task of evidence documentation very arduous and daunting. It takes significant time and effort to sift through the documentation and find the appropriate controls in order to link these controls to the corresponding compliance standards and requirements.
Putting one’s best foot forward during an audit engagement is the key to success. Bridging the gap between what entities have documented and actually demonstrating proven, tangible evidence of implementation is crucial to passing an audit. Audit evidence must be documented in such a comprehensive manner that it covers mandatory requirements and shows proof that a regulatory control has been thoroughly tested and in place while also being representative of the current operational status of the organizations.
Task Management Complexities
Compliance audits generate a number of tasks that must be assigned to the appropriate Subject Matter Experts (SMEs). These tasks range from internally assessing and monitoring controls to identifying and resolving issues as soon as they are discovered. Without an integrated and automated task management system, companies face greater difficulties in maintaining a sustainable and closed-loop compliance program.
With continual changes to existing NERC standards and the introduction of new compliance requirements, preparing for a NERC audit is like trying to hit a constantly-moving target. Audits are already difficult; however, they are only going to become more challenging in this rapidly changing environment!
Challenges to utility companies include increasing customer demands, decreasing budgets, new technological innovations, evolving regulatory implications, and managing known and unknown threats to the security of IT infrastructure. Managing NERC compliance in the face of all these factors requires an efficient, proactive, and sustainable approach-but how does one achieve that goal?
Companies need to develop and enforce effective policies, standards, and technical procedures aligned with NERC requirements. To effectively manage documentation, manual processes should be replaced with automated workflows designed to measure, report, monitor, and manage compliance issue remediation. Doing so will significantly improve resource utilization, increase the accuracy of compliance data, and reduce costs to the organization.
Many companies are discovering that as they grow and expand their operations, having an integrated compliance and controls framework is critical to sustaining NERC compliance. Fragmented organizational and functional silos are giving way to the need for a holistic organizational approach. Individual workgroups and business units must maintain constant collaboration and implement a more intelligent and systematic process in order to eliminate duplication of effort and facilitate the free flow of information across organizational boundaries.
Utility companies that have implemented an integrated compliance framework find that they are able to achieve the following:
The CRSI and MetricStream NERC Compliance Management Solution will help organizations strengthen and simplify the management of all NERC compliance requirements. The solution provides an integrated set of applications to streamline and automate end-to-end NERC compliance processes, while consolidating all compliance activities, data, and initiatives within a centralized framework. This framework provides a systematic, collaborative, and closed-loop approach to the NERC compliance issues faced daily. Powerful real-time dashboards and interactive reporting features will provide valuable insight into NERC compliance processes, as well as the intelligence and data management that will facilitate proactive and sustainable compliance.
NERC Compliance Environment and Process Design
The CRSI and MetricStream NERC Compliance Management Solution enables companies to define and maintain a centralized structure of their overall compliance and control hierarchy, including processes and assets in scope, risks to the assets, mitigating controls addressing these risks, and mechanisms to assess continued compliance for these controls. With the CRSI and MetricStream solution, electric utility companies can structure a logical internal controls framework, beginning with the respective standards and extending down to the associated sub-standards, requirements, controls, and controls testing. This framework significantly streamlines compliance activities and quickly associates controls to the governing regulation. Our solution simplifies the tracking of all control-based activities across the enterprise.
Automatic Alerts of Updates to NERC Reliability Standards
The CRSI and MetricStream NERC Compliance Management Solution automatically identifies and imports NERC regulations from the NERC website or other external information sources. The solution captures information such as the standard’s specific requirements, effective dates for application within the industry, and application zones. Internal compliance professionals can filter relevant content, accept or reject updates, and import contents to a centralized library for creating actions, tasks, controls, and compliance assessment processes. Multiple versions of regulatory requirements, such as NERC CIP version 3 and version 5, can be maintained within the system for comparison against possible non-compliance gaps or risks to managed security and operations infrastructure.
NERC Compliance Assessments
The CRSI and MetricStream NERC Compliance Management Solution supports assessments based on predefined criteria. This solution also allows for customized checklists for scoring, tabulating, and reporting the results. Control assessments can be designed based on assigned roles and responsibilities and scheduled for periodic checks based upon the requirements and associated risks. For Information Technology requirements, such as the NERC CIP Standards, these assessments can be configured to analyze application data for its completeness, accuracy, validity, authenticity, authorization, and other access control rules. A centralized repository of all assessments allows for easy search capabilities, ensuring that internal auditors and compliance professionals can provide timely documentation and evidence of compliance.
Risk Assessment and Management
The CRSI & MetricStream NERC Compliance Management Solution allows the adoption of a risk-based approach to NERC compliance. The solution supports risk assessments & computations based on configurable methodologies & algorithms which provide a clear view into each company’s regulatory compliance risk profile. This enables internal auditors the ability to recommend strategies for optimal risk/reward outcomes. A built-in risk library enables all risks & controls to be maintained in a centralized and organized manner. In addition, graphical dashboards, risk heat maps, & detailed reporting capabilities provide real-time insights into potential compliance risk across the enterprise.
The CRSI & MetricStream NERC Compliance Management Solution helps manage complete audit lifecycle, including audit planning, resource management, task scheduling, & the escalation, monitoring, & reporting of findings. The solution includes capabilities for preparing a compliance questionnaire, conducting mock audits, tracking known issues, communicating issues with external & internal auditors, & negotiating with auditors to resolve these issues. Using this solution, internal auditors can search for & customize checklists, create new checklists, & save multiple checklist versions from the central repository
Risk Based Asset Management
The CRSI & MetricStream NERC Compliance Management Solution provides a comprehensive asset management module, perfect for the identification and management of all physical and Cyber Assets (CAs). Under NERC CIP version 3 standards, organizations will have the ability to record the risk methodologies used to identify & classify Critical Cyber Assets (CCAs); for NERC CIP version 5, organizations will be able to record BES Cyber Systems and their impact ratings. In addition, this solution provides the ability to maintain detailed asset profiles in the centralized repository, enable tracking & scheduling of asset installations & re-deployment, & track system maintenance, refurbishments, & disposal. This asset information can be imported from other existing databases such as IBM Tivoli, HP Asset Manager, BMC Remedy, & CA IT Asset Manager using CRSI & MetricStream’s unique Infolet technology. Built-in dashboards provide aggregated views, trends & analysis to determine long-term asset needs, capital requirements & potential threats.
Self-Certification Report Management
The CRSI & MetricStream NERC Compliance Management Solution helps prepare self-certification documentation, including NERC RSAWs, to help evaluate, tabulate, review, and report evidence of NERC compliance. Organizations will be able to store associated policies and procedures, applicable reporting requirements, & file templates & schedules for various regulatory requirements. Organization will gain the flexibility to configure standardized compliance reports as well as ad hoc or specialized reports.
“Reliability compliance is a critical program for us. We must report on over a thousand standards and requirements for the large number participants in our energy market. By using MetricStream we will be able to enhance our compliance efforts. We selected MetricStream because it was user friendly, secure and will integrate easily with our existing systems.”
Issue Management and Remediation
For issues and exceptions that pose a risk of non-compliance, the CRSI and MetricStream NERC Compliance Management Solution triggers a systematic mechanism of investigation and remediation. Automatic alerts and notifications are sent to the appropriate personnel for task assignments, and the system keeps exception cases open until action plans are carried out. All results are verified for their effectiveness, and can be automatically tracked as they progress from one stage to the next. Additionally, root cause analysis can be mapped to any entity which will cover individual processes, respective regulations and requirements and to specific assets or asset classifications.
Real-Time Compliance Monitoring
The CRSI and MetricStream NERC Compliance Management Solution contains powerful executive dashboards with drill-down capabilities that provide enterprise-wide visibility into the NERC compliance process. Issues that need to be addressed are highlighted and NERC compliance management solution is able to track the status of compliance issues, process ownership, assessment plans, and more on the graphical charts. These customizable charts provide real-time information that can be accessed across organizational units responsible for the actionable items represented. The solution’s monthly and quarterly trending analysis capabilities enable compliance managers and process owners to stay in constant touch with the on-the-ground reality, following progress on all important compliance issues. Compliance process becomes more manageable and predictable because the solution provides automated alerts for events such as exceptions and failures, thereby eliminating untimely surprises before any important audit.
With the CRSI and MetricStream NERC Compliance Management Solution, organizations will be able to effectively: