There’s been a lot of speculation about what it means with Federal Energy Regulatory Commission (FERC) conducting CIP audits in 2016 and questions surrounding what this could mean for the North American Electric Reliability Corp. (NERC), Regional Entities and Registered Entities, what FERC will be auditing, and the reasons behind the audits. Here’s my assessment of the potential implications on a FERC audit of the NERC CIP Standards.
Effects on 2016 Compliance Monitoring and Enforcement Program
After reviewing NERC and Regional Entity presentations and discussing the matter with FERC personnel, the audits will have no effect on the 2016 Compliance Monitoring and Enforcement Program (CMEP) released in November and recently updated in early December 2015.
How Many Audits are Expected and What Will They Cover
FERC is currently working with NERC and the Regional Entities to iron out the details of what will be audited and how many assessments will be conducted. Given the known limitations to FERC’s staffing resources, it’s likely that, the number of audits the Regional Entities can accomplish will be in the low teens, and maybe no more than 10. For audit coverage, I would expect FERC to at least concentrate on the identification of BES Cyber Systems (BCS) under CIP-002-5.1, which the industry has been vocal about regarding the standards interpretation and implementation.
Impetus Behind the Audits
There are several factors that can be attributed to FERC’s decision. For starters, FERC has always had the ability to conduct audits and has conducted them in the past, although we haven’t seen an audit from them since 2011.
In January 2011, a Department of Energy audit (DOE/IG-0846) found that FERC wasn’t effectively monitoring how NERC and the Regional Entities assessed the implementation of the CIP standards. In October 2015, the Government Accounting Office (GAO) released a report, “CRITICAL INFRASTRUCTURE PROTECTION: Cybersecurity of the Nation’s Electricity Grid Required Continued Attention,” covering what has occurred since 2011. In particular, the report noted FERC’s continued lack of monitoring how NERC and the Regional Entities are implementing the CIP standards. I believe FERC has always planned to conduct audits similar to what they did in the early days of Versions 1 and 3. The timing cannot be dismissed as just a potential coincidence, but perhaps provided additional emphasis for executing them.
So what does this mean for Registered Entities? Until FERC announces what the audits will cover, when they will be done, how many will be done, and what involvement NERC and the Regional Entities will have, the best we can suggest is for Registered Entities to continue your implementation and associated documentation as planned. At this time, there’s no reason to believe the audits will change how the standards will be approached by the Regional Entities. If anything, the audits could help bring what many believe is needed attention on some of the more ambiguous parts of the standards.
If you need help understanding what’s in store for the CIP Version 5 standards or preparing for implementation, comment below or connect with me on LinkedIn. I’m happy to help you navigate these changes.
Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.