NERC’s enforcement power
NERC has regulatory authority within North America to “assure the effective and efficient reduction of risks to the reliability and security” of the energy grid. Its eight regional entities monitor and enforce compliance with the NERC Reliability Standards. According to NERC, organizations should initiate self-reporting within three months of discovery of noncompliance with NERC’s Reliability Standards.
Delay in self-reporting could affect penalties and have other consequences. In addition to expecting self-reporting, NERC can also monitor compliance through regularly scheduled compliance audits and spot checks.
NERC may issue monetary penalties and/or increase its compliance monitoring of noncompliant organizations. NERC will consider the number and severity of instances of noncompliance when determining penalties and, as illustrated by the recent Notice, it may find that the number of violations itself creates a serious risk, even if individual violations are less serious.
The January 25, 2019 enforcement notice
In its recent Notice, NERC alleged failure to:
- Accurately describe and update organizations within a Bulk Electric Systems (BES) Cyber System (BCS) inventory, under CIP-002-5.1.
- Follow documented change control and configuration management processes, under CIP-003-3.
- Provide annual cybersecurity training, under CIP-004-3a and CIP-004-6.
- Implement organizational processes and technical and procedural mechanisms for controlling access to Critical Cyber Assets (CCA) (equipment and systems that are essential to the reliable operation of Critical Assets, including facilities and systems that if destroyed or rendered unavailable, would affect the reliability or operability of the BES), under CIP-005-3a.
- Monitor for vendor security, including physical and electronic access to CCAs, under CIP 004-6, CIP-007-6, and CIP-007-3a.
- Maintain a written Cyber Vulnerability Assessment (CVA) action plan, under CIP-007-3a.
NERC anticipated that additional instances of noncompliance would be discovered in the course of the corrective measures specified in the settlement, and the utility company is required to report those instances to NERC as they are discovered and addressed.
The best lessons from a regulatory settlement such as this one may be contained in the settlement terms themselves. Under this settlement, the utility company must:
- Increase senior leadership involvement and oversight, including by providing quarterly compliance reports to the board of directors.
- Centralize the CIP oversight department, which may include restructuring roles within the department and having areas dedicated to standards, enterprise oversight, enterprise CIP tools, compliance metrics, and regulatory interactions.
- Conduct industry surveys and benchmark discussions to assist with developing best practices relating to sustainable security and compliance practices.
- Create and maintain an in-house CIP training program, including oversight training, awareness training, and performance training.
- Make improvements to access management, including in the form of visitor logging and vulnerability assessments.
- Add resources as needed to help manage and implement CIP compliance and security efforts.
- Perform annual compliance drills.
Through this Notice and settlement, NERC is sending the message that the electric industry needs to take the CIP Reliability Standards seriously. NERC is looking for specific instances of noncompliance, but NERC also expects a culture of compliance. Responsible entities should take steps to educate senior management on cybersecurity risks and allocate the resources necessary to implement a cybersecurity program consistent with CIP Reliability Standards and other compliance obligations. Engagement, support, awareness, and accountability are all key to this effort, across the enterprise and up the management chain.
Client Alert 2019-044