NSTAR shares NERC CIP lessons
Don't underestimate effort, value of outside help
"NERC CIP" compliance might well be akin to root canal: it's not going to be pleasant but, in the end, it's good for the utility industry. That's according to the experience at NSTAR Electric and Gas Corp., an investor-owned utility that provides electricity and natural gas to 1.4 million customers in eastern and central Massachusetts, including parts of Boston.
The critical infrastructure protection (CIP) mandates from the North American Electric Reliability Corporation (NERC) apply to utilities with generation, transmission or both.
And in the experience of NSTAR, the process included a few lessons learned. NSTAR had "Audit Week," as it was dubbed internally, in mid-June.
Certainly in a compliance-based exercise, the motivation to improve security (the carrot) is sweetened by potential sanctions (the stick).
"NERC CIP presents serious mandates that must be complied with and failure to do so can cost a utility some pretty big bucks," Kathy Tatum, vice president and CIO, told me last week.
There's "tremendous pressure" to avoid a failed audit, with the potential for fines and/or negative public relations, she added.
Who takes the lead?
"I've seen it vary," she said. "That's one our lessons learned. I've talked to a number of utilities and some of them have a comprehensive compliance organization in place that focuses on corporate compliance across the entire organization, including NERC/CIP compliance. At NSTAR, although we promote a compliance culture across the whole organization, when these mandates came out, we made the assumption that this was more of an IT-related security role, not a compliance role. There was so much focus on cyber security standards.
"One of our lessons learned is that NERC/CIP is really a compliance program and should be treated as such," Tatum told me. "There's a lot of interpretation needed around the CIP standards. There's a lot of compliance standards that requires documentation, showing 'documented evidence' as they call it as proof of compliance.
"Your typical security person is focused on locking things down," she said. "The compliance person says, 'Okay, we have the controls in place. So what's my evidence to prove that those controls are in place and working well?' We had the controls in place. What we needed was good documented evidence that demonstrate adherence to those controls."
Tatum's recommendation: hire an outside, third-party group that specializes in NERC CIP audits to assess your organization's readiness, well in advance of an actual audit.
"We didn't know what we didn't know," she said.
Does a third party bring a fresh set of eyes or expertise in interpretation?
"I think it's both," she said. "When you're so close to things you perhaps don't see where you can get better. If you live and breathe it every day, it's hard to take that step back and see it as an auditor would see it."
Another recommendation: make your documentation very clear and easy to understand from the auditor's perspective. You want the auditor to have a good experience and clear documentation sets a positive mood for the audit.
And be ready to assign internal resources to the task—a part-time job for some staff, a full-time job going forward for at least two people at NSTAR.
"An assumption we made was that because this was an audit done once every few years, we didn't need full-time dedicated resources on it," Tatum said. "We were wrong.
"There are very specific roles you need on a full-time basis just to stay up on all the changes to the standards, all the idiosyncrasies that change fairly regularly on how things need to be documented," the CIO said. "That's the compliance piece. You also need a full-time person just to monitor that the requirements that you must meet every month—things like patch management—are being done and that they are being documented."
Then there's the difference between securing a corporate network and control systems.
"We have implemented solid security standards, procedures and policies on our corporate network that are based on industry best practices," Tatum said. "However, these standards are not as restrictive as the security standards for the SCADA environment, which resides on its own separate network as required by the NERC CIP compliance rules.
"If the corporate network comes down, that's a huge imposition on the business," she continued. "If SCADA comes down, that could be life-threatening. If someone compromises your SCADA network, it's possible they could compromise the bulk electric system across multiple states, even a whole region. If our bulk electric system is compromised, its impact could be far reaching."
Thus, in Tatum's view, NERC CIP compliance has proven to be useful.
"In my personal opinion, I think the NERC CIP standards and requirements—at least the premise behind them—are good ones," she said. "There was a need to ensure that utilities were securing these environments for the safety of citizens by ensuring that utilities were doing everything possible to reduce the risk of the bulk electric system becoming compromised. Something needed to be done. Even if your mindset is usually focused on compliance, you're probably more secure than you were before the NERC CIP mandates were implemented."
Last recommendations: Do not underestimate the effort involved in compliance. Get executive management buy-in and support.
"After the mock audit was conducted by a third-party group three months prior to the actual audit," all other work in our security group not related to the NERC CIP audit prep came to a standstill. Tatum acknowledged. "That was very disruptive to the business but it was a priority at the executive level. So we had the support we needed to get the required work completed.
"When you have that hanging over your head, the executive team said, 'Nothing else matters right now. The NERC/CIP compliance program became a priority within the organization, not only short term for audit week, but long term as well to ensure that NSTAR continued to promote a 'culture of compliance' throughout the company," she concluded.
NERC CIP compliance is on the agenda at the Knowledge2011 Executive Summit in Amelia Island, Florida, Nov. 7-9, where you can join executives in leadership positions in IT, operations and customer service for industry-leading discussions of critical issues.
Related articles you may find useful:
"Cyber Security: Threats and Opportunities"
"CIP: Creating a 'culture of compliance'?"
Phil Carson
Editor-in-chief
Intelligent Utility Daily
pcarson@energycentral.com
303-228-4757
