NERC Changes Violation Handling

(Following NERC security is a full time endeavor these days. To that end, is looking for a NERC correspondent. Ideally this would be someone who follows NERC security as part of their job, has the ability to comment publicly, and has some opinions and analysis to go along with covering the NERC security news)

NERC sent FERC a Petition Requesting Approval of New Enforcement Mechanisms and Submittal of Initial Informational Filing Regarding NERC’s Efforts to Refocus Implemention of its Compliance Monitoring and Enforcement Program. I was pointed to the document and a couple of key passages by Ronnie Fabela with Lockheed Martin Energy & Cyber Services.

NERC should be commended for candor by stating throughout the document that the CIP standards have created the wrong type of security culture. An example from page 2:

Specifically, employees of Registered Entities have become focused on the minutia of compliance and penalty avoidance rather than on best practices and excellence. (emphasis added) Those who draft Reliability Standards have become focused on avoiding what they view as compliance pitfalls. Status quo processing requirements will continue to produce the results we now have: (i) little to no differentiation of process treatment until the filing stage; (ii) significant paperwork, man-hour and administrative burdens for lesser risk issues; (iii) lengthy processing times for all issues; (iv) delays in information dissemination and transparency; and (v) potentially unintended signals and results that industry stakeholders should manage compliance risks rather than reliability risks.

NERC will now implement a three track process for dealing with violations:

  1. Notice of Penalty (NOP)
  2. Find, Fix and Track and Report (FFT) for lesser risk issues that have been corrected
  3. Dismissal

The FFT is the new part of the process to reduce the paperwork, cost and time for all involved with NERC CIP while still getting violations addressed. It will be used for violations that pose a lesser risk to the Bulk Power System, and the Petition lists the criteria for determining if the NOP or FFT track is appropriate on page 1. From pages 2 and 3:

Under the process proposed in this filing, lesser risk issues will be found, fixed, tracked and reported to Regional Entities, NERC and FERC, instead of being processed in a NOP as violations subject to penalties or sanctions. Those responsible for enforcement must exercise the discretion to determine that, once fixed, no additional compliance resources will be expended on a particular matter, given other demands and priorities. Therefore, the formal regulatory process will be used for violations that pose a more serious threat to the reliability of the BPS and will not be clogged up by lesser risk issues that have already been fixed.

NERC is careful to point out that all violations will be addressed, tracked and reported. From page 27:

Each and every such lesser risk issue must be corrected and reported to Regional Entities, NERC and FERC. Upon correction and submittal of Registered Entity’s statement of completion of mitigating activities, the lesser risk Possible Violations will become, and be referred to as, Remediated Issues.

While an entity must correct the underlying Possible Violation and take actions to prevent recurrence, no penalty or sanction will be assigned to a Remediated Issue in a FFT.

This is not going to solve the entire culture of compliance problem with NERC CIP, but it is a big step in the right direction especially for those utilities who want to have an effective security program.

Image by Greg Peterson