NERC CIP and the Importance of Consistent Compliance
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a plan comprised of a set of requirements. The NERC CIP developed and designed a series of standards intended to protect any assets used to operate North America’s Bulk Electric System (BES). North America includes, for the purposes of NERC CIP, the United States, Canada and Mexico.
What Is the North American Bulk Electric System?
The BES includes any Transmission Elements set to operate at one kV (kilovolt) or higher. real power and reactive power sources, on the other hand, call for BES tapping into resources connected at 100 kV or higher.
The Energy Act of 2005 (EPAct) added Section 215 to the Federal Power Act, giving NERC and the Federal Energy Regulatory Commission (FERC) the authority and ability to establish and enforce reliability standards on everyone using the BES, including all users, owners and operators. These entities may include public power entities.
Essentially, the BES covers a large framework of interconnected facilities and control systems needed to effectively and efficiently operate an electric energy transmission network, not including those entities functioning on a local level.
A few of the specific power resources over 100 kV included in BES include the following:
- Transformer resources
- Generating sources, such as generating terminals
- Blackstart resources that are designed to remain active and energized without connection to the rest of a system
- Dispersed power that produces aggregate resources that is distributed to individual resources and specialized systems
- Static and dynamic devices that do not include generators, dedicated to absorbing or distributing reactive reactive power resources
Combined, NERC’s programs impact more than 1,900 bulk electric power system operators and owners. The primary goals of these programs include ensuring learning, assurance and risk-based approaches to improving operations and reliability of the electrical grid across the entire continent.
Of course, such a large-scale power program needs a strong set of regularly updating standards and regulations that require compliance to ensure smooth-running operations and consistent power supply to recipients.
Does Your Company Require NERC Compliance?
Any business that owns, operates and uses any type of bulk electric power system must comply with all NERC-approved Reliability Standards. Any of these business entities must register with NERC through the appropriate Regional Entity.
If your organization holds NERC registration as a user, owner or operator within the bulk electric system in the U.S., you must become and remain NERC CIP compliant. Your professional compliance team can help you determine whether—and to what degree—you must comply with the plan’s requirements.
As so much of this work is now done on a digital and online level, it is important to also consider the technological risks. NERC CIP has provided a cybersecurity framework that allows for the identification and security of critical cyber assets that can greatly impact and control the reliability of North America’s BES.
Why Is NERC CIP Compliance So Important?
NERC CIP and its regional bodies take compliance very seriously, in order to ensure consistent and effective power to all recipients. They use Compliance Monitoring and an Enforcement Program to monitor, assess and enforce uniform compliance.
At any time, your business—as a Registered Entity—may be subject to an audit or spot check for compliance with all Reliability Standards applicable to your organization. This means that you must constantly remain vigilant in your compliance efforts. The NERC has set forth a collection of NERC Sanction Guidelines that include some monetary fines that could reach six figures, depending on the type and degree of compliance violation.
The pressure in this industry is high, and as you know; it is necessarily so. When a massive continent is counting on you as part of the power grid, it really is a huge responsibility.
What Are Some of the Most Important Requirements for NERC CIP Compliance?
As long as you understand the NERC CIP Reliability Standards and Requirements, it is probably easier than you imagine to become and remain consistently compliant.
Take a few moments to review some of the most important requirements for NERC CIP compliance:
- Program Development and Management
- Compliance Audits and Assessments
- Patch Management
- Vulnerability Assessment and Management
- Incident Reporting of Cybersecurity Events and Quick Response Planning
- Mock Audits
- On-the-Spot and Unplanned Audits
- Asset Identification and Configuration Management
- Reliability Standard Audit Worksheet Development
- Systems Security Assessments and Management
- Personnel Training
- Policy, Process and Procedure Planning
- Development, Documentation and Evidence Reporting
- Security Information and Event Management
- Recovery Planning
While this list is extensive and somewhat daunting, it can serve as a navigation tool for you to feel more confident in your own operations. Once you have achieved a base level of compliance and proficiency with these requirements, you can worry less about your place on the grid.
Are You Ready to Become Fully NERC CIP Compliant?
Are you worried that you may receive a surprise visit from the NERC CIP Compliance Enforcement Authority before you feel fully confident that your organization is compliant? I.S. Partners is happy to work in conjunction with RSI to provide you with NERC CIP compliance services. We will go through each requirement with you to make sure you have it covered right away. After that, you are likely to feel more confident about daily compliance.