Electricity industry leaders are still not taking their critical infrastructure protection (CIP) compliance programs as seriously as they should, speakers at a webinar hosted by ReliabilityFirst warned Monday.
“Every entity I’ve seen since I started working as a CIP auditor back in 2009 … claims to have executive support for their CIP program. And mostly that’s true — but what does support mean?” Lew Folkerth, RF’s principal reliability consultant for external affairs, said at the regional entity’s monthly Technical Talk.
In most cases, he said, “it means that they get some money [and] some people for it, and that’s about as far as it goes. The truly great entities have executives that become directly involved in the CIP and O&P [Operations and Planning] compliance programs.”
As an example of healthy management buy-in, Folkerth described a company he encountered where the CEO had weekly meetings with the CIP team “during a particularly rough period,” and “responded immediately and effectively” when the team described their needs.
Zack Brinkman, ReliabilityFirst | ReliabilityFirstZack Brinkman, RF’s manager of CIP compliance monitoring, seconded Folkerth’s sentiments, adding that having access to top executives is “just the beginning.” Beyond paying attention to the CIP team, leadership must speak up for the team within the organization to ensure that staff from other departments take their recommendations seriously, he said.
“You really want to look at executive engagement [and] executive involvement … to have a successful program. You need ownership and accountability,” Brinkman said. “NERC’s CIP [standards touch] all sorts of different departments within an organization, and one of the things we’ve seen here and in the past is … that executive support is really key to trying to break down those silos.”
The discussion also touched on practical tips for making the best impression during CIP compliance audits. Robert Vaughn, a CIP auditor with SERC Reliability, said his top recommendation to electric utilities is to ensure they have as much documentation for their CIP program and potential issues as possible. Vaughn jokingly called documentation “auditor kryptonite,” explaining that “with good documentation, we don’t ask questions; good documentation explains itself.”
“It’s like a good recipe,” he continued. “You don’t have to list every single thing in it, but you want something that is repeatable. You want to be able to produce the same thing over and over again. … I can understand that I won’t know how to do it how entity X does it, but your documentation should carry me 60 to 70% of the way down that road.”
Full documentation can also ensure that entities aren’t too reliant on individuals and their memories, Vaughn told listeners. He recalled visiting a utility whose compliance regime documentation listed three tests that were performed regularly, then speaking with the compliance manager who told him of three more tests that he performed often but did not record. In this situation, Vaughn warned, an unexpected absence by the responsible person could lead to required tasks not being done, or not being done in time.
“You don’t want a situation where Bert and Pete win the lotto and don’t come back from lunch, and nobody can do their” jobs, Vaughn said. “That’s the problem we run into a lot of times; I have … a big flowchart that has a person’s name in [it], and we’re like, what happens if [he] takes a vacation? [They say], ‘Oh, it’s never come up before.’ … That’s not a good process. … You want something that is specific, generic [and] that can survive the test of time.”
