<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Energy & Utilities

How to Report on NERC CIP Standards


Federal Energy Regulatory Commission (FERC) is the governing body in charge of monitoring and enforcing regulations put forth by the North American Energy Reliability Corporation (NERC). Additionally, where NERC is in charge of developing and maintaining the rules for contractors and national and regional entities working with the Bulk Electric System (BES), FERC runs audits and enforces penalties and sanctions to those who are not compliant with NERC.

As these agencies work together, the NERC drafts legislation iteratively in versions. At the time of writing, the NERC Critical Infrastructure Protection (CIP) framework is currently in version seven. The NERC CIP framework is primarily a reliability standard designed to ensure the continued operation of the BES and security of the physical and critical cyber assets. As the landscape and rules evolve, new regulations are introduced that often serve as key points for the next version. They are labeled as ‘subject to future enforcement’. One of the most significant changes between versions of the NERC reliability standards is the scope that new regulations encompass and phasing out regulations that are no longer necessary or are proven to be counter-intuitive to new controls. Security management controls that are en route to being terminated or are being considered are labeled as ‘ Pending Inactive’. Through our research, we’ve found that the language used for these updates is, at times, overly intricate and verbose. Since the impact on the Bulk Electric System can be so devastating, having such rigid and theological language leaves as little room for misinterpretation as possible. Previous controls have been ushered out entirely due to having vague and indirect guidance. In an effort to ease the transition between NERC CIP versions for organizations, NERC releases transition guides to help responsible entities stay ahead of the curve and avoid possible sanctions from a FERC audit.

Risk Dashboard

In the event of a FERC audit, the auditor is looking for organizations to pursue a risk-based approach. Being able to quickly illustrate your organization's cyber risks with an integrated risk management tool like CyberStrong with a risk dashboard will facilitate this conversation in a much more meaningful wayWith this being said, it is unlikely a full audit will be performed. Instead, FERC is more likely to perform more targeted audits on areas of interest within the organization such as reliability, affiliated transactions, gas, and electric tariffs, market-based rate authority, and record retention compliance.

In a FERC audit (whether specialized or general), the auditor looks for key things from each control: requirements, transparency, accountability, operational efficiency, and effectiveness.

  • Requirements: What policies are needed to maintain the functionality of the control.
  • Transparency: How easy is it to access the control and who has the ability to view it.
  • Accountability: What parties are responsible for maintaining policies within the control. Who has access to influence them?
  • Operational Efficiency: How well the control is able to operate and identifying factors that could have consequences on a specific operation.
  • Effectiveness: How well the control functions and influences other controls within NERC CIP.

FERC audits begin with a commencement letter sent to the organization and posted publicly on the Commission's online eLibrary. This commencement letter is used to outline the purpose and scope of the audit, the overseeing authority conducting the audit (FERC), and the state’s management contact information. The staff conducting the audit will be using observations, process walk-throughs, data requests, interviews, and analytical testing to determine your entity’s compliance with NERC CIP standards. Upon finishing the audit, the auditors sit down with company officials in an Exit Conference to inform them of what they found during their investigation, to highlight areas of improvement, and to provide a draft audit report for the company being audited. The Exit Conference is performed to maintain transparency of the audit and to ensure audit reporting is accurate. After, FERC will either send a Commission order or letter order to your organization and issue the final audit report with the Company’s response attached. At the end of FERC’s audit, the results will be posted publicly on the eLib as well. This is done in an effort to provide insight for areas of concern to entities and the industry as a whole as well as to allow compliance officers the ability to replicate and test audit procedures from the FERC. Annually, audits are summarized and compiled into the Annual Report on Enforcement, which can be found here.

NERC CIP is a critical framework that serves to protect the Bulk Electric System from cybersecurity threats and bad actors. By paying attention to the Transition guidelines, adjusting policies to oncoming trends and taking a risk-based approach in NERC CIP. CISOs and CFOs seeking to stay compliant in NERC should consider the scope of their current policies when considering adding new controls.

If you’re curious how your organization stacks up to a NERC CIP audit, our patented Integrated Risk Management platform, CyberStrong, is capable of running assessments, generating reports, managing audits, and measuring your entity’s cyber security and risk posture so you can minimize your risk and enable continuous NERC CIP compliance. Feel free to give us a call at 1-800-NIST CSF for a free demo or visit our website at www.cybersaint.io


You may also like

November 2021 Product Update: Big ...
on December 2, 2021

  Gain visibility through expandable graphics and improved search filters!   "What is this? A dashboard made for ants? How can we be expected to report risk to our executives if ...

Kyndall Elliott
Why Your Cyber Risk Quantification ...
on November 29, 2021

Cybersecurity and risk management are essential to the success of an enterprise, but not all business units see it like that. Rather, executives and board members can see it as a ...

Enabling Risk Register Benchmarking
on November 8, 2021

Risk quantification has bridged the security world to the business world. By quantifying risk, security leaders have been able to frame cybersecurity in a business context and ...

Leveraging FAIR to Unite IT, ...
on October 29, 2021

Cyber and information security can be tough topics to digest. Adding on the element risk can make things even more confusing for those unversed in cybersecurity, leaving CISOs and ...

Modern-Day Cybersecurity ...
on October 22, 2021

A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, identifying security objectives, enabling a framework ...

Aligning Security and Privacy ...
on October 8, 2021

For too long, companies have made the mistake of separating privacy and security regulation. This has led to numerous security gaps that cybercriminals have exploited and ...