By Nicholas Sheble
“NERC CIP compliance can be labor intensive. In fact it can be a full time job for a person depending on the size of a facility,” said Bill May, executive for global strategies at industrial software company PAS.
NERC and CIP are the North American Electric Reliability Corporation and Critical Infrastructure Protection.
NERC’s main job is working with power companies to develop standards for power system operation, monitoring and enforcing compliance with mandatory reliability standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient.
May presented a webinar Tuesday entitled, “NERC CIP Inventory Management” that addressed the power industry’s current development of procedures and practices to conform to the NERC CIP cyber security requirements.
Specifically he discussed the time consuming tasks of gathering a complete inventory of cyber assets and managing the information for each asset.
“This information includes security and patch management, malicious software prevention management, ports and services monitoring, user account management, backup and storage management, and password change management. It’s what’s necessary to comply with CIP 002,” May said.
NERC Standards CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System.
Business and operational demands for managing and maintaining a reliable Bulk Electric System increasingly rely on Cyber Assets supporting critical reliability functions and processes to communicate internally, across functions and organizations, and for services and data. This gives rise to increased risks to these Cyber Assets.
“Standard CIP-002 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System. These Critical Assets are to be identified through the application of a risk-based assessment.
May’s solution to this annual task of counting and identifying a utility’s critical assets automatically captures and manages the inventory necessary for a NERC CIP audit.
“As well,” May said, “it can vastly reduce the hours a company will spend on NERC CIP compliance. We have reduced the time for audit at one power generator in the Southeast from a third of a man-year to less than 10% of a man-year.”
Nicholas Sheble (email@example.com) is an engineering writer and technical editor in Raleigh, NC.