Compliance auditors at the Texas Reliability Entity urged utilities April 24 to think of them not as antagonists looking to get them in trouble, but as allies in the mission of maintaining grid reliability.
“We’re not looking for more work,” Paul Hopson, compliance team lead at Texas RE, said at the regional entity’s Spring Standards, Security and Reliability Workshop in Austin. “We’re looking for compliance, of course. We want to help you get there. Believe me, we will. We’ll stay there all week … and even more time if we need to, to help you show compliance. If you need more time, we’ll be happy to review whatever you want to give us to look at. But our job is to ensure the reliability and stability of the grid.”
Hopson’s presentation focused on how responsible entities should prepare for walkthroughs performed during audits related to NERC’s Critical Infrastructure Protection (CIP) standards, which govern both physical and digital security. He said walkthroughs can help identify issues in both areas.
Entities often think of physical security as limited to installations, like fences, gates and barriers to deter unauthorized access, cameras to monitor activity around the site, and access-control measures such as keycard readers and alarms, Hopson said, with cybersecurity seen as a separate specialty.
However, he noted there is actually considerable crossover between these areas. For example, CIP-006-6 (Cybersecurity — Physical security of BES cyber systems) requires entities to secure the physical points of access to certain grid cybersystems. As a result, utilities should be aware that cybersecurity audits may involve site visits in addition to software inspections.
“When we go on-site, and we’re doing these reviews … we’re going to look through these things,” Hopson said. “We may not check every door lock; we may not look for every cyber asset that … wasn’t in scope. But since we’re there … we’re going to try to point out any vulnerabilities.”
Hopson was asked what auditors would do if they noticed a deficiency with a CIP standard that was outside the scope of their audit. He acknowledged that while the team would not expand the scope on the spot, “if there’s something that … leads to a noncompliance, yeah, we are going to have to have that discussion” with the utility’s staff.
He emphasized that this is not just a hypothetical situation, but something his team has encountered numerous times. When he joined the compliance team in 2016, Texas RE auditors performing compliance checks for CIP-012-1 (Communications between control centers) also frequently would find issues with the CIP-006 standards.
Although they did not specifically check for such problems, they were easy to spot for auditors familiar with both standards because the CIP-012-1 audit required they be in control centers where the access hardware for cybersystems was visible.
Hopson said that entities have been “doing a much better job” with CIP-006 compliance in recent years, but auditors still keep their eyes open when performing a CIP-012 audit because “that’s just part of our risk-based approach.” When asked what long-term effects such a finding would have besides a recommendation to the registered entity involved, Hopson acknowledged auditors would notify the RE’s Risk Department, and the CIP-006 deficiency “may end up on an audit in the future.”