NERC CIP Low Impact Requirements — Cultural ChangeAs mentioned in my previous post, NERC CIP Low Impact Requirements, this is the second installment on the implementation of the NERC CIP Low Impact BES Cyber Systems (BCS) requirements. In this post, I’ll be discussing a topic that, although not directly tied to the requirement’s language, can still be a significant factor in successfully implementing these BCS requirements.

Change in Culture

Within the utility industry, work tasks have evolved over the years based on practice, with that knowledge handed down through generations of technicians to create a familiar and unified culture.

For Entities implementing a NERC CIP program, experience has shown that while these traditional methods have worked in the past, there is a growing need to modernize them to meet today’s Standards. And, more importantly, if those changes aren’t properly managed, those tasks could potentially fail to meet the necessary requirements  causing the risk of potential violations and costly additional work for everyone involved.

Through the Burns & McDonnell team’s involvement in assisting Entities with post-implementation issues not originally handled by Burns & McDonnell, or where we have started the implementation, we have found that in most cases the biggest roadblock to properly managing an Entity’s culture shift is the collective attitude of “we have always done it this way.”

Coupled with the lack of involvement from field and support staff in the design of the cultural changes, not only does this create processes that didn’t resonate with the current culture, it created the impression that staff involvement was not important. The end result is frustrated personnel who don’t want to follow new processes that they perceive will make their jobs more difficult and affect their performance.

Managing Cultural Change

As promoted by Burns & McDonnell, and proven in other implementations we’ve studied, staff involvement impacted by the Standards is critical to create processes not only necessary to meet the Standards, but that also work within the existing culture. Here are a few recommended ideas for this approach:

  • Involve all relevant parties to the facility’s operation — not all personnel, but those key individuals with thorough process knowledge who could be influential in advocating for the modifications and their importance to fellow staff. At a minimum, this involves representation from the field technicians, information technology and networking personnel, and supervision/management staff.
  • Establishing of a sound justification for making the changes and how they will ultimately improve the reliability of service for their customers, stakeholder-value in the company, and communicating the strategy. Making the importance of these changes clear to these parties and the customers they serve will have a greater impact and improve the chance of success.
  • Creation of a detailed project plan and schedule, informing all participates of the schedule, and then adjusting it as needed to keep everyone informed and on track. When everyone on the project team understands where the project is going and knows about important milestones, they feel more involved and invested, ultimately creating a more engaged group.
  • Pilot any changes to verify how they work and adjust before rolling them out. Very few modifications work as originally planned, and piloting helps spot the issues early to avoid costly rework.
  • Provide necessary resources to the staff implementing the changes to make them successful. Everyone has their regular “day” job, and without accounting for the required resources it will lead to project delays and missed schedules.

These recommendations may sound simple enough, but actually executing them can be a challenge given daily industry demands to “keep the lights on.” Depending on the size of the Entity, having a dedicated staff or primary individual charged with managing the implementation has proven to be a critical factor for success. That’s because dedicated staff or a primary individual should be able to determine issues early and address them before full implementation, thus avoiding “after the fact” adjustments that are more difficult to make.

It is important to remember that while the Low Impact BCS requirements are not as extensive as those for High and Medium Impact, and their impact on an Entity’s culture may not be as extensive, failure to involve staff and manage the implementation of Standards as a real project will lead to delays and consume additional resources most Entities cannot afford as April 1, 2017, approaches.

Additional Information

The following information may be of assistance in your Low Impact BCS research and implementation efforts:

  • A WECC Regional workshop in Low Impact BCS was held July 2015. Information can be found here.
  • Burns & McDonnell will have our second annual Power Utility Security & Compliance Symposium Aug. 8-9, 2016, which will cover several subjects related to Low Impact BCS.

If you’d like to learn more about this topic, please reach out to Alan Farmer or myself and we’d be happy to walk you through these NERC CIP requirements.

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities. 

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.