Beruflich Dokumente
Kultur Dokumente
Whitepaper
The Problem
Compliance to regulatory standards is critical, perhaps second only to employee safety and reliable power generation and
transmission. In years past, a multitude of processes for collecting compliance data – manual or systemic, distributed or
centralized, dynamic or static, pull or push – have been sufficient to meet compliance requirements. But, that is no longer
the case with today’s changing compliance environment, which demands immediate answers and readily-auditable
trails. Spreadsheets, databases, digital documents, binders of paper, various calendaring techniques and multiple process
owners no longer suffice. Therefore, more sophisticated program management and automation are required. After
employee safety and the reliability of power generation/transmission requirements, maintaining a state of compliance to
regulatory standards is critical. This is true for all types of compliance: environmental, NERC CIP and O&P, OSHA, other city,
county, state, and Federal considerations.
However, implementation of a sophisticated process must be balanced with the practicality of managing and reporting
requirements. The recurring question is how to create situational awareness for those who need to know: senior
management, operational managers, compliance team members, field engineers, and other stakeholders?
Therefore, the industry needs a compliance management solution that addresses all regulatory compliance management
needs, is cost effective, resource efficient, and leverages tools already used in the current environment. High and Medium
Impact facilities need a specific toolset: logging, alerting, reporting, access control, and monitoring. Low Impact facilities
have a smaller set of requirements to maintain, but still require highly efficient tools that optimize the productivity of their
limited facility employees.
Creating and maintaining a CIP compliance program can be both cumbersome and costly. Internal compliance individuals
and/or teams can reduce the drain on people’s time and resources by streamlining operational work efforts or automating
the processes in support of a CIP compliant environment. With the large amount of data collection required to continuously
analyze and provide compliance, data repositories need to be transformed into useful management information that allow
appropriate resources (human, financial, technological) to maintain a state of compliance within the organization in the most
efficient manner possible.
K
OR
RI
SK
Automation Identification
W
COMPLIANCE
End-to-End Solution
Real-Time Audit Readiness
Transparency and Oversight
CIP Process
Figure 1 provides an overview of the CIP Program Lifecycle. While high-level, it clearly shows the need for seamless
interaction between a compliance manager or consultant CIP SME (subject matter expert) and each step in the compliance
solution. Missteps in any stage of the process can result in significant non-productive costs in addition to the potential
consequences of a control failure which results in non-compliance.
“While many of the proposed standards retain the traditional approach of clear, easily enforceable requirements with
zero room for error, CIP Version 5 recognizes that in some cases reliability is better served with flexible, adaptable,
self-correcting requirements. For example, for Low Impact cyber systems, the standards have adopted programmatic
controls rather than specific cyber controls. These new approaches require more sophisticated audit procedures to
ensure compliance, because they are focused on implementing risk-based policies instead of filling out paperwork to
document compliance with specific requirements. But despite the increased enforcement challenge, these new
approaches have the potential to more effectively and efficiently protect our Nation’s critical infrastructure”.
CIP-002-5.1 CIP-002-5.1
BES Cyber POLICIES & PROCEDURES • (Implicit) – Cyber Asset Inventory BES Cyber
System LISTS, DATA, INFORMATION, • BCS List System
Categorization PROGRAMS, PLANS • BCA List Categorization
• Security Awareness Cyber Security
CIP-003-6 • Physical Security Controls CIP-003-6
Security • Electronic Access Controls for External Security
R1 – Low Impact Cyber Security Policy(ies)
Management Routable Connectivity (LERC) and Management
Controls Dial-up Connectivity Controls
• Cyber Security Incident Response
R2 – Attachment 1 – Cyber Security Plans • Transient Cyber Assets and Removable
for Low Impact BES Cyber Systems Media Malicious Code Mitigation
• Other Supporting Documentation
Figure 1
Automation Considerations
To maximize efficiency and seamlessly connect all stakeholders, Industry needs a comprehensive compliance management tool
that provides document management, workflow management, task management, personnel management, data collection,
aggregation and reporting. The application needs to integrate with existing network devices and monitoring software, using
date or event driven triggers for tasks to be done, while maintaining records for work that has already been completed.
The tool should provide internal reports from the data as the utility prepares for regulatory reporting and audits. The
application should be able to maintain and generate evidence as needed to demonstrate compliance across the
organization without sacrificing flexibility or being limited to specific regulations. The application should be as configurable
as appropriate for low, medium or high impact utilities, but also simple to use and interpret by the organization on a
day-to-day basis.
Audit Readiness
• 1-click RSAW generation
• Workflow templates
• Workflow automation
• Seamless system integration
Audit Readiness
Change Management
• Compliance rules enforcement
Self Certification
• Automated RSAW generation process
• Review and approval tracking
Figure 2
The elements of a compliance management solution are shown in Figure 2. Each of these elements should be considered
when evaluating an automated solution. Several toolset categories need to be considered, including the management of cyber
asset configurations, logging and alerting based on cyber asset monitoring, access control to electronic and physical assets,
documentation management, and a repository that collects and manages the data for the eventual audit package output.
Solution Selection
When selecting an automated solution, companies must first fully understand their core business needs and evaluate which
needs are effectively met by each application or software product. It is generally helpful to consider a few scenarios as you
develop your business needs. Below is a basic list of requirements that should be considered when evaluating a product:
Successful Deployment
Once a solution has been selected, an implementation process must be defined. This includes identifying the participants and
stakeholders, the time allocation of the appropriate resources, and an implementation timeline with defined milestones and
support from the “Kickoff” to “Go-Live”.
Figure 3 provides a high-level outline of the major steps for implementing a compliance solution.
Sample Implementations
Compliance solutions have been successfully implemented at a number of utilities.
Customer Testemonials
“...the SigmaFlow solution helped us reduce our RSAW production development time from 2000+ hours per year
to less than 200 hours per year.”
“...what a life-saver. I was able to pull additional evidence requests during our audit in a matter of minutes!”
3Sys is a compliance management firm that provides hands-on support to the Energy Industry. Expertise includes NERC
regulatory requirements for critical infrastructure protection (CIP), physical and electronic security, implementation and support
of compliance workflow tracking applications, and enterprise compliance program management. 3Sys differentiates itself in
the market by actually performing the regulatory management tasks versus only providing consulting on how tasks must
be performed. 3Sys staff implement, integrate, support and maintain compliance
programs in conjunction with client staff. 3Sys Corp is headquartered
in Portland, Oregon.
For more information about our products and services visit our website(s) or contact us at:
3syscorp.com sigmaflow.com
info@3syscorp.com info@sigmaflow.com