Complying with North American Electric Reliability Corporation (NERC) requirements can be a challenge, especially with regard to the NERC CIP (critical infrastructure protection) requirements, which cover cybersecurity fortification.
NERC has the best of intentions. NERC’s stated mission is to “assure the reliability and security of the bulk power system in North America,” which is quite admirable especially from an emergency preparedness perspective. But sometimes the organization’s regulatory requirements for electric utilities can be cumbersome.
This is why I was ecstatic to stumble onto an article from a former NERC auditor that covers the top-5 mistakes he saw while in the field with regard to NERC CIP compliance requirements. I previously provided tips on how to properly complete a NERC reliability compliance audit, and this post is another tool for your NERC compliance toolbox.
Top NERC CIP Mistakes
For the full detail on this list, click here. What follows is an abbreviated version of the top mistakes to whet your whistle.
- Connecting compliance with bonus compensation – The requirements are designed to identify critical issues and solutions to those issues, which benefits both utilities and their customers, but when compliance is tied to compensation, it could motivate certain employees or decision makers to sweep non-compliance issues under the rug.
- Lack of preparation for a NERC CIP audit – Utilities will get audited for this sooner or later, so it is helpful to prepare for this inevitability by doing a mock audit, ideally with an emergency preparedness company that specializes in such things.
- Lack of evidence to support compliance – My math teachers always used to say “show your work,” and the same principle applies here. All relevant processes and procedures should be properly documented, signed off on, and followed.
- Analysis paralysis – Some utilities go overboard analyzing the requirements, looking for “gotchas” that aren’t there. The requirements are not designed to trick, common sense is all that is needed to comply.
- Lack of proper training on NERC CIP requirements – Employees can only be expected to comply with what they understand, so training is not only helpful for knowledge sharing, but it is also required under CIP-004 R2 of the NERC CIP program.