NERC Compliance Automation:

Can It Be Resource and Cost Effective?

Whitepaper

Presented by: &

NERC (North American Electric Reliability Corporation) compliance management has always been challenging for utilities,
often having to work with already limited resources. Enforcement and compliance have been further complicated with
today’s heightened and frequently-changing cyber security concerns. This paper will present an overview of the key CIP
(Critical Infrastructure Protection) requirements for NERC compliance and discuss a practical approach to establishing a
compliance program as well as an approach to an automated cost-effective solution that will reduce the risks while
improving efficiencies in the compliance process.

The Problem
Compliance to regulatory standards is critical, perhaps second only to employee safety and reliable power generation and
transmission. In years past, a multitude of processes for collecting compliance data – manual or systemic, distributed or
centralized, dynamic or static, pull or push – have been sufficient to meet compliance requirements. But, that is no longer
the case with today’s changing compliance environment, which demands immediate answers and readily-auditable
trails. Spreadsheets, databases, digital documents, binders of paper, various calendaring techniques and multiple process
owners no longer suffice. Therefore, more sophisticated program management and automation are required. After
employee safety and the reliability of power generation/transmission requirements, maintaining a state of compliance to
regulatory standards is critical. This is true for all types of compliance: environmental, NERC CIP and O&P, OSHA, other city,
county, state, and Federal considerations.

However, implementation of a sophisticated process must be balanced with the practicality of managing and reporting
requirements. The recurring question is how to create situational awareness for those who need to know: senior
management, operational managers, compliance team members, field engineers, and other stakeholders?

Therefore, the industry needs a compliance management solution that addresses all regulatory compliance management
needs, is cost effective, resource efficient, and leverages tools already used in the current environment. High and Medium
Impact facilities need a specific toolset: logging, alerting, reporting, access control, and monitoring. Low Impact facilities
have a smaller set of requirements to maintain, but still require highly efficient tools that optimize the productivity of their
limited facility employees.

Creating and maintaining a CIP compliance program can be both cumbersome and costly. Internal compliance individuals
and/or teams can reduce the drain on people’s time and resources by streamlining operational work efforts or automating
the processes in support of a CIP compliant environment. With the large amount of data collection required to continuously
analyze and provide compliance, data repositories need to be transformed into useful management information that allow
appropriate resources (human, financial, technological) to maintain a state of compliance within the organization in the most
efficient manner possible.
K
OR

RI
SK

Automation Identification
W

Simplification BUSINESS Assessment

UP TO SPEED
Best Practice Correction

COMPLIANCE

End-to-End Solution
Real-Time Audit Readiness
Transparency and Oversight
CIP Process
Figure 1 provides an overview of the CIP Program Lifecycle. While high-level, it clearly shows the need for seamless
interaction between a compliance manager or consultant CIP SME (subject matter expert) and each step in the compliance
solution. Missteps in any stage of the process can result in significant non-productive costs in addition to the potential
consequences of a control failure which results in non-compliance.

“While many of the proposed standards retain the traditional approach of clear, easily enforceable requirements with
zero room for error, CIP Version 5 recognizes that in some cases reliability is better served with flexible, adaptable,
self-correcting requirements. For example, for Low Impact cyber systems, the standards have adopted programmatic
controls rather than specific cyber controls. These new approaches require more sophisticated audit procedures to
ensure compliance, because they are focused on implementing risk-based policies instead of filling out paperwork to
document compliance with specific requirements. But despite the increased enforcement challenge, these new
approaches have the potential to more effectively and efficiently protect our Nation’s critical infrastructure”.

– Version 5 Critical Infrastructure Protection Docket No. RM13-5-000

NERC CIP v5 Low Impact Program Life Cycle

NERC CIP Reliability Standards Version 5 Reliabilty Standard

Audit Worksheet

CIP-002-5.1 CIP-002-5.1
BES Cyber POLICIES & PROCEDURES • (Implicit) – Cyber Asset Inventory BES Cyber
System LISTS, DATA, INFORMATION, • BCS List System
Categorization PROGRAMS, PLANS • BCA List Categorization
• Security Awareness Cyber Security
CIP-003-6 • Physical Security Controls CIP-003-6
Security • Electronic Access Controls for External Security
R1 – Low Impact Cyber Security Policy(ies)
Management Routable Connectivity (LERC) and Management
Controls Dial-up Connectivity Controls
• Cyber Security Incident Response
R2 – Attachment 1 – Cyber Security Plans • Transient Cyber Assets and Removable
for Low Impact BES Cyber Systems Media Malicious Code Mitigation
• Other Supporting Documentation

R3 – CIP Senior Manager

R4 – CIP Senior Manager Delegates

Evidence and Artifact Repository

Windows Directory / Shared Drive / SharePoint

SigmaFlow Compliance Manager

Documentation & Workflow Management,
Evidence Collection, Reporting

Figure 1
Automation Considerations
To maximize efficiency and seamlessly connect all stakeholders, Industry needs a comprehensive compliance management tool
that provides document management, workflow management, task management, personnel management, data collection,
aggregation and reporting. The application needs to integrate with existing network devices and monitoring software, using
date or event driven triggers for tasks to be done, while maintaining records for work that has already been completed.

The tool should provide internal reports from the data as the utility prepares for regulatory reporting and audits. The
application should be able to maintain and generate evidence as needed to demonstrate compliance across the
organization without sacrificing flexibility or being limited to specific regulations. The application should be as configurable
as appropriate for low, medium or high impact utilities, but also simple to use and interpret by the organization on a
day-to-day basis.

Audit Readiness
• 1-click RSAW generation
• Workflow templates
• Workflow automation
• Seamless system integration
Audit Readiness
Change Management
• Compliance rules enforcement

Change Compliance Evidence Management

Management NERC Status & • Automatic document review
Compliance Updates schedules
Management • Document version control
Software Solution and history
for CIP & 693 Compliance Status & Updates
Evidence Compliance • Pre-configured and customized
Management compliance dashboards
Knowledge • Standards updates management
Management
Compliance Knowledge Management
• Workflow with task guidance
Self Certification • Data repository
• Automated notifications

Self Certification
• Automated RSAW generation process
• Review and approval tracking
Figure 2

The elements of a compliance management solution are shown in Figure 2. Each of these elements should be considered
when evaluating an automated solution. Several toolset categories need to be considered, including the management of cyber
asset configurations, logging and alerting based on cyber asset monitoring, access control to electronic and physical assets,
documentation management, and a repository that collects and manages the data for the eventual audit package output.
Solution Selection
When selecting an automated solution, companies must first fully understand their core business needs and evaluate which
needs are effectively met by each application or software product. It is generally helpful to consider a few scenarios as you
develop your business needs. Below is a basic list of requirements that should be considered when evaluating a product:

The Right Automated Solution Will:

• Leverage your existing IT infrastructure
• Integrate with your existing compliance toolsets
• Be capable of on premise or hosted (cloud) implementation for low impact utilities
• Be highly configurable but simple to use, requiring an in-house User Admin (not a software supplier) for customization
• Be cost effective
• Simplify the compliance management process and reduce compliance management personnel hours
• Generate the final copy of completed reports to be submitted to regulatory bodies
• Provide task escalation and workflow calendaring
• Provide Post-implementation customer service and technical support for upgrades and unforeseen issues
• Allow for easy integration into existing applications (i.e. Tripwire, Industrial Defender, SAP)
• Allow for migration from test to production instances without major reconfiguration, excessive conversion costs, or
data/functionality loss
• Have published minor and major release schedules and processes for updating with hot fixes or critical code issues

Successful Deployment
Once a solution has been selected, an implementation process must be defined. This includes identifying the participants and
stakeholders, the time allocation of the appropriate resources, and an implementation timeline with defined milestones and
support from the “Kickoff” to “Go-Live”.

Figure 3 provides a high-level outline of the major steps for implementing a compliance solution.

Platform Deployment NERC Controls User Acceptance Testing

• Kickoff Project • Design & Approval • Training
• Create Site (Install) • Configuration & Review • Testing
• Orientation & Requirements • Integration Configuration • Refine Configuration

Training Go-Live Transition to Support

• End User Training • Go-Live Support • Introduce Support Team
• Administrator Training • Project Post Mortem
• Support Training

Figure 3: Implementation of compliance management software

Conclusion
Compliance requirements behind NERC CIP and other regulatory standards present significant challenges for companies.
The acquisition of appropriate subject matter expertise, coupled with a solid compliance management process managed by
software, can make the process more reliable in a cost effective and timely manner. By highlighting some of the key processes
involved, it is our hope that we can assist companies (whether low, medium or high impact) identify their “pain points”,
evaluate tools and find the most cost effective, scalable and effective solution to meet their compliance needs.

Sample Implementations
Compliance solutions have been successfully implemented at a number of utilities.

Reduction of potential violations:

A large utility in the Midwest completed an audit where 17 potential violations were identified. SigmaFlow’s
NERC Compliance Solution was implemented and Change Management, Baseline Validation and RSAW
generation capabilities were configured. The potential violations were reduced to 4 prior to the next audit.

Customer Testemonials
“...the SigmaFlow solution helped us reduce our RSAW production development time from 2000+ hours per year
to less than 200 hours per year.”

“...what a life-saver. I was able to pull additional evidence requests during our audit in a matter of minutes!”

“SigmaFlow is a real time saver and support is awesome”

About 3 Sys and SigmaFlow

SigmaFlow is a leading provider of Process Execution solutions. The company’s NERC Compliance Solution is a real-time,
evidentiary based software solution that solves the challenges of CIP & 693 Compliance. The SigmaFlow Compliance Solution
manages all documents, data and work activities while automatically collecting and building the evidence for NERC
compliance in a real-time repository. SigmaFlow products place a strong emphasis on embedding domain knowledge through
a process-driven template-based-architecture. SigmaFlow is headquartered in Plano, Texas.

3Sys is a compliance management firm that provides hands-on support to the Energy Industry. Expertise includes NERC
regulatory requirements for critical infrastructure protection (CIP), physical and electronic security, implementation and support
of compliance workflow tracking applications, and enterprise compliance program management. 3Sys differentiates itself in
the market by actually performing the regulatory management tasks versus only providing consulting on how tasks must
be performed. 3Sys staff implement, integrate, support and maintain compliance
programs in conjunction with client staff. 3Sys Corp is headquartered
in Portland, Oregon.

For more information about our products and services visit our website(s) or contact us at:

3syscorp.com sigmaflow.com
info@3syscorp.com info@sigmaflow.com

To learn more, contact us at 972.826.4350 or visit sigmaflow.com