Solution Briefs
Understanding, experience and technology for success

 

Proactive & Sustainable NERC Compliance

NERC Monitoring:
  • Self-reporting
  • Periodic reporting
  • Self-certification
  • Investigations
  • Random spot checks
  • Compliance audits

Overview
In 1968, the North American Electric Reliability Corporation (NERC) was formed as the National Electric Reliability Council to prepare guidelines and practices for power system operations and coordination. Four decades later, prompted by incidents such as the Northeast Blackout in 2003, NERC’s policies were made mandatory and enforceable across the United States.

In 2006, the Federal Energy Regulatory Commission (FERC) appointed NERC as the Electric Reliability Organization (ERO) for the United States. Since that time, NERC has been responsible for maintaining the reliability of the North American Bulk Electric System (BES) by developing and enforcing reliability standards, monitoring the BES, assessing its adequacy, and educating industry personnel.

Today, NERC’s Standards are mandatory throughout the United States and several Canadian provinces. Compliance is enforced through a rigorous program of audits, investigations, and reporting activities. Entities found to be in violation of a Standard can be fined up to $1 million per day per violation.

Broadly classified under NERC 693 and NERC CIP, the NERC Standards consist of fourteen Reliability Standards, each of which contains specific requirements. These standards define requirements for planning and operating the bulk power system, and are developed through collaboration between the NERC staff and representatives from several electric industry sectors.

NERC Reliability Standards:
  • Resource and Demand Balancing (BAL)
  • Communi-cations (COM)
  • Critical Infrastructure Protection (CIP)
  • Emergency Preparedness and Operations (EOP)
  • Facilities Design, Connections, and Maintenance (FAC)
  • Interchange Scheduling and Coordination (INT)
  • Inter-connection Reliability Operations and Coordination (IRO)
  • Modeling, Data, and Analysis (MOD)
  • Nuclear (NUC)
  • Personnel Performance, Training, and Qualifications (PER)
  • Protection and Control (PRC)
  • Transmission Operations (TOP)
  • Transmission Planning (TPL)
  • Voltage and Reactive (VAR)

The Corporate Risk Solutions & MetricStream Partnership

Corporate Risk Solutions, Inc. (CRSI) is the premier electric utility security consulting firm, providing a full suite of services to energy companies and government entities since 2001. CRSI has provided consulting services to hundreds of electric utilities across all eight NERC regions in North America and globally.

CRSI has an unequalled level of knowledge, understanding, and experience with the NERC Critical Infrastructure Protection (CIP) Standards, dating back to the failed Standard Market Design and the UA-1200 Standards through to the current NERC Reliability Standards (both 693 and 706). In recognition of their skills, knowledge, and capabilities, CRSI has been contracted by multiple Regional Entities to conduct NERC CIP Audits, CIP-002 Reviews, Mitigation Plan Reviews, and Technical Feasibility Exception (TFE) Reviews.

MetricStream is a market leader in Enterprise-wide Governance, Risk, and Compliance (GRC) and Quality Solutions for global corporations. MetricStream enterprise solutions are used by leading corporations in diverse industries to manage risk, quality processes, corporate policies, regulatory and industry-mandated compliance and corporate governance initiatives.

CRSI and MetricStream have formed a strategic partnership, bringing CRSI’s energy sector expertise to the MetricStream GRC solution suite. The partnership provides the power of MetricStream GRC solutions, customized specifically for compliance efforts within the NERC Standards.

Challenges of NERC Compliance

Complexity and High Costs of Compliance
The NERC Reliability Standards include 94 mandatory sub-standards and over 1,000 individual requirements. In addition, many of these requirements are constantly changing, and new recommendations are often introduced. This complexity makes efforts towards compliance extremely difficult.

For example, as companies prepare for the transition to the NERC CIP version 5 Standard, they must constantly keep themselves updated on the changes introduced in this new version. Certainly, adopting NERC CIP version 5 implies the redesign and alteration of existing policies and procedures documentation to capture important new requirements and enforce same across the organization. Undoubtedly, this is a laborious and resource-intensive process.

Problems with Manual Processes
Many organizations rely on manual compliance tracking processes to record audit control assessments, prepare reports, and implement performance measures. Maintaining diverse manual processes complicates compliance preparation, and trying to update multiple spreadsheets, databases, e-mail chains, and content management sites will create an unnecessary burden on manpower and increase costs which will ultimately increase the potential for errors.

Duplication of Compliance Activities
Many companies manage their compliance tasks and control assessments in functional or organizational silos. As a result, collaboration across the organization is limited, leading to inconsistencies in compliance data. Again, costs are increased while compliance status metrics are unclear or redundant.

Limited View of Compliance
A clear visibility into NERC compliance data is essential to track the progress of controls and define compliance strategies. Yet, most companies lack true visibility because they lack a unified reporting system and, instead, rely on ad hoc manual processes. Consolidating reports at the enterprise level is a complex and time-consuming task, and viewing granular data can prove to be extremely difficult. One common erroneous oversight often experienced due to the absence of a holistic view of compliance requirements is that as the compliance activity is a periodic, one-time event as against a culture of continuous, organization-wide monitoring effort.

Extensive Documentation
To ensure NERC compliance, Responsible Entities have to manage volumes in relevant documentation. From documents accurately interpreting NERC Standards to Reliability Standards Audit Worksheets (RSAWs) to detailed internal policies and technical procedures, the amount of information that must be organized for relevance and applicability across the varying assets under scrutiny makes the task of evidence documentation very arduous and daunting. It takes significant time and effort to sift through the documentation and find the appropriate controls in order to link these controls to the corresponding compliance standards and requirements.

Putting one’s best foot forward during an audit engagement is the key to success. Bridging the gap between what entities have documented and actually demonstrating proven, tangible evidence of implementation is crucial to passing an audit. Audit evidence must be documented in such a comprehensive manner that it covers mandatory requirements and shows proof that a regulatory control has been thoroughly tested and in place while also being representative of the current operational status of the organizations.

Task Management Complexities
Compliance audits generate a number of tasks that must be assigned to the appropriate Subject Matter Experts (SMEs). These tasks range from internally assessing and monitoring controls to identifying and resolving issues as soon as they are discovered. Without an integrated and automated task management system, companies face greater difficulties in maintaining a sustainable and closed-loop compliance program.

The Bottom Line:

With continual changes to existing NERC standards and the introduction of new compliance requirements, preparing for a NERC audit is like trying to hit a constantly-moving target. Audits are already difficult; however, they are only going to become more challenging in this rapidly changing environment!



Overcoming the Challenges of NERC Compliance

Challenges to utility companies include increasing customer demands, decreasing budgets, new technological innovations, evolving regulatory implications, and managing known and unknown threats to the security of IT infrastructure. Managing NERC compliance in the face of all these factors requires an efficient, proactive, and sustainable approach-but how does one achieve that goal?

Companies need to develop and enforce effective policies, standards, and technical procedures aligned with NERC requirements. To effectively manage documentation, manual processes should be replaced with automated workflows designed to measure, report, monitor, and manage compliance issue remediation. Doing so will significantly improve resource utilization, increase the accuracy of compliance data, and reduce costs to the organization.

Many companies are discovering that as they grow and expand their operations, having an integrated compliance and controls framework is critical to sustaining NERC compliance. Fragmented organizational and functional silos are giving way to the need for a holistic organizational approach. Individual workgroups and business units must maintain constant collaboration and implement a more intelligent and systematic process in order to eliminate duplication of effort and facilitate the free flow of information across organizational boundaries.

Utility companies that have implemented an integrated compliance framework find that they are able to achieve the following:

  • Improve the cost-effectiveness of compliance programs
  • Establish a well-structured, closed-loop compliance workflow activity
  • Minimize redundancies in documentation and work effort while maximizing synergy
  • Provide a high-level overview of their compliance program while maintaining the ability to quickly produce a granular level of information on specific controls
  • Identify compliance gaps and design effective mitigation strategies in a proactive manner
  • Make confident strategic decisions for maintaining NERC compliance in an ever-changing landscape
  • Simplify the tracking of compliance issues while maintaining an accurate picture of the organization’s true level of compliance preparedness

The CRSI & MetricStream NERC Compliance Management Solution

The CRSI and MetricStream NERC Compliance Management Solution

The CRSI and MetricStream NERC Compliance Management Solution will help organizations strengthen and simplify the management of all NERC compliance requirements. The solution provides an integrated set of applications to streamline and automate end-to-end NERC compliance processes, while consolidating all compliance activities, data, and initiatives within a centralized framework. This framework provides a systematic, collaborative, and closed-loop approach to the NERC compliance issues faced daily. Powerful real-time dashboards and interactive reporting features will provide valuable insight into NERC compliance processes, as well as the intelligence and data management that will facilitate proactive and sustainable compliance.

Capabilities of the CRSI and MetricStream Solution

NERC Compliance Environment and Process Design
The CRSI and MetricStream NERC Compliance Management Solution enables companies to define and maintain a centralized structure of their overall compliance and control hierarchy, including processes and assets in scope, risks to the assets, mitigating controls addressing these risks, and mechanisms to assess continued compliance for these controls. With the CRSI and MetricStream solution, electric utility companies can structure a logical internal controls framework, beginning with the respective standards and extending down to the associated sub-standards, requirements, controls, and controls testing. This framework significantly streamlines compliance activities and quickly associates controls to the governing regulation. Our solution simplifies the tracking of all control-based activities across the enterprise.

Automatic Alerts of Updates to NERC Reliability Standards
The CRSI and MetricStream NERC Compliance Management Solution automatically identifies and imports NERC regulations from the NERC website or other external information sources. The solution captures information such as the standard’s specific requirements, effective dates for application within the industry, and application zones. Internal compliance professionals can filter relevant content, accept or reject updates, and import contents to a centralized library for creating actions, tasks, controls, and compliance assessment processes. Multiple versions of regulatory requirements, such as NERC CIP version 3 and version 5, can be maintained within the system for comparison against possible non-compliance gaps or risks to managed security and operations infrastructure.

NERC Compliance Assessments
The CRSI and MetricStream NERC Compliance Management Solution supports assessments based on predefined criteria. This solution also allows for customized checklists for scoring, tabulating, and reporting the results. Control assessments can be designed based on assigned roles and responsibilities and scheduled for periodic checks based upon the requirements and associated risks. For Information Technology requirements, such as the NERC CIP Standards, these assessments can be configured to analyze application data for its completeness, accuracy, validity, authenticity, authorization, and other access control rules. A centralized repository of all assessments allows for easy search capabilities, ensuring that internal auditors and compliance professionals can provide timely documentation and evidence of compliance.

Risk Assessment and Management
The CRSI & MetricStream NERC Compliance Management Solution allows the adoption of a risk-based approach to NERC compliance. The solution supports risk assessments & computations based on configurable methodologies & algorithms which provide a clear view into each company’s regulatory compliance risk profile. This enables internal auditors the ability to recommend strategies for optimal risk/reward outcomes. A built-in risk library enables all risks & controls to be maintained in a centralized and organized manner. In addition, graphical dashboards, risk heat maps, & detailed reporting capabilities provide real-time insights into potential compliance risk across the enterprise.

Compliance Audits
The CRSI & MetricStream NERC Compliance Management Solution helps manage complete audit lifecycle, including audit planning, resource management, task scheduling, & the escalation, monitoring, & reporting of findings. The solution includes capabilities for preparing a compliance questionnaire, conducting mock audits, tracking known issues, communicating issues with external & internal auditors, & negotiating with auditors to resolve these issues. Using this solution, internal auditors can search for & customize checklists, create new checklists, & save multiple checklist versions from the central repository


“I was very impressed with the assessment performed by CRSI. The team was professional and had an outstanding ability to work with our Subject Matter Experts in seamlessly transitioning from ‘Audit Mode’ to a ‘Coaching or Instructional Mode.’ Recommendations regarding evidence stacking and what to be prepared for regarding follow up questions were of tremendous benefit. The Audit Team also provided recommendations of evidence that may not be necessary for the RSAW but could be an anticipated evidence request. It was a pleasure working with the CRSI Team and I would without hesitation solicit their services again.”

-Rob Robertson,
Former Manager, NERC Compliance for NSTAR Electric (Now with FirstWind)

Risk Based Asset Management
The CRSI & MetricStream NERC Compliance Management Solution provides a comprehensive asset management module, perfect for the identification and management of all physical and Cyber Assets (CAs). Under NERC CIP version 3 standards, organizations will have the ability to record the risk methodologies used to identify & classify Critical Cyber Assets (CCAs); for NERC CIP version 5, organizations will be able to record BES Cyber Systems and their impact ratings. In addition, this solution provides the ability to maintain detailed asset profiles in the centralized repository, enable tracking & scheduling of asset installations & re-deployment, & track system maintenance, refurbishments, & disposal. This asset information can be imported from other existing databases such as IBM Tivoli, HP Asset Manager, BMC Remedy, & CA IT Asset Manager using CRSI & MetricStream’s unique Infolet technology. Built-in dashboards provide aggregated views, trends & analysis to determine long-term asset needs, capital requirements & potential threats.

Self-Certification Report Management
The CRSI & MetricStream NERC Compliance Management Solution helps prepare self-certification documentation, including NERC RSAWs, to help evaluate, tabulate, review, and report evidence of NERC compliance. Organizations will be able to store associated policies and procedures, applicable reporting requirements, & file templates & schedules for various regulatory requirements. Organization will gain the flexibility to configure standardized compliance reports as well as ad hoc or specialized reports.


“Reliability compliance is a critical program for us. We must report on over a thousand standards and requirements for the large number participants in our energy market. By using MetricStream we will be able to enhance our compliance efforts. We selected MetricStream because it was user friendly, secure and will integrate easily with our existing systems.”

- Dan Rochester,
Manager, Reliability Standards and Assessments

Issue Management and Remediation
For issues and exceptions that pose a risk of non-compliance, the CRSI and MetricStream NERC Compliance Management Solution triggers a systematic mechanism of investigation and remediation. Automatic alerts and notifications are sent to the appropriate personnel for task assignments, and the system keeps exception cases open until action plans are carried out. All results are verified for their effectiveness, and can be automatically tracked as they progress from one stage to the next. Additionally, root cause analysis can be mapped to any entity which will cover individual processes, respective regulations and requirements and to specific assets or asset classifications.

Real-Time Compliance Monitoring
The CRSI and MetricStream NERC Compliance Management Solution contains powerful executive dashboards with drill-down capabilities that provide enterprise-wide visibility into the NERC compliance process. Issues that need to be addressed are highlighted and NERC compliance management solution is able to track the status of compliance issues, process ownership, assessment plans, and more on the graphical charts. These customizable charts provide real-time information that can be accessed across organizational units responsible for the actionable items represented. The solution’s monthly and quarterly trending analysis capabilities enable compliance managers and process owners to stay in constant touch with the on-the-ground reality, following progress on all important compliance issues. Compliance process becomes more manageable and predictable because the solution provides automated alerts for events such as exceptions and failures, thereby eliminating untimely surprises before any important audit.

The CRSI and MetricStream Value Proposition

With the CRSI and MetricStream NERC Compliance Management Solution, organizations will be able to effectively:

  • Build an integrated and collaborative approach to NERC compliance, eliminating redundancies by transcending organizational and functional silo boundaries.
  • Stay informed on a real-time basis of all NERC changes and updates through automatic alerts.
  • Streamline compliance activities, including mapping of regulations to policies, developing effective controls, assessing risks, performing compliance audits, preparing and implementing action plans, and identifying and mitigating risk issues.
  • Enable risk-based compliance through configurable methodologies for risk assessments, risk heat maps and real-time dashboards.
  • Increase transparency into the status of compliance processes and obtain data needed for improved strategic level decision-making.
  • Enhance the efficiency and reliability of reporting and self-certification
  • Automate compliance processes critical for audit preparedness and improved efficiency, thereby optimizing resource allocation, improving accuracy and timeliness of action items, and reducing organizational costs.