With the NERC CIP V5/V6 compliance deadline only four days away, I’m sure everyone is 100% ready and got everything figured out with no worries- right? While some of you I’m sure are still scrambling, I thought I’d offer up a few predictions and advice based on my previous experience with Versions 1-3 of the NERC CIP Framework:
1. Remember the Regional Auditors are probably just as confused as you are. These first rounds of NERC CIP Audits combined with the site visits I hope at least some of you took advantage of prior to the July 1 enforceable date for V5/V6 are probably going to lead to more questions than answers on both the enforcement and Entity sides of the house. For those of you fortunate enough to be registered in multiple NERC Regions, I think it will also take a year or more for there to be any sort of consistency from Region to Region on how these requirements are going to be enforced. My hope is that, unlike the V1-V3 days where the audit process was far more dictation to the Entities versus collaboration, the outreach that NERC and the Regions have provided via workshops and site visits will foster a more collaborative experience for both the auditor and the audited. My concern is that, especially in these first rounds of audits, that there will be pressure from NERC and FERC to make examples out of certain “Potential Violations” to demonstrate the effectiveness of the standards and the corresponding standards development process itself.
2. Vendors are coming out of the woodwork to “help” the industry deal with the compliance challenges around NERC CIP. I’ve talked to several of my current clients and they have expressed how they are being bombarded by vendors and consultants offering the greatest things since sliced bread in the form of software and services around NERC CIP. Last year I did a post called “Buyer Beware” that provided advice on entertaining vendors that all of a sudden tout their industry leading experience in NERC CIP. In fact, when the Anfield Group started back in 2009, the playing field was very limited in the NERC CIP space. Now everyone and his cousin is a NERC CIP “Expert”. I encourage you to really check references on any vendor that boasts their NERC CIP capability and really see what they’ve done in the space. There are going to be a lot of ambulance chasers here in these first rounds of NERC CIP V5/V6 Audits. Make sure you align yourselves with a partner that has negotiated settlements, developed and implemented mitigation, integrated automation/security technologies, and left their clients with sustainable and repeatable processes and controls.
3. Are you guys still measuring the bar at Compliance? Hopefully, in all of your V5/V6 prep, you’ve started to see that ramping up to meet a regulatory model that is so slow and tedious means you are really not doing much to establish a sustainable and reliable security program. Having the security and operational best practices in place that map back to the NERC CIP Framework, and others, is the only way to really sustain a holistic approach where compliance becomes a natural byproduct of actually being secure first.
All this being said, I do think progress has been made with V5/V6 CIP Standards. Yes, there are still some loosely defined terms and some subjective interpretations, but from where we were in the Version 1-3 days, I don’t think we are even on the same planet. For me, the biggest remaining problem is the slow pace at which these Standards are developed. If we are really here to address security and reliability then why have such a slow and tedious Standards Development Process? Currently, by the time a standard is completed, the threats we are trying to address have moved far beyond the standards with which we’ve been trying to comply. To me, this is an issue that desperately needs to be addressed.