I have more than once thought of renaming this blog as “Lew Folkerth’s Blog (assisted by Tom Alrich)”. I’m considering this more seriously now, having just read Lew’s latest Lighthouse article in the RF newsletter, on CIP Exceptional Circumstances.
I think what I like so much about Lew’s articles is that he has really thought about whatever subject he is discussing, and makes observations I would never make in 100 years. Of course, he does more than think about these things, since his job at RF is in Entity Development. That is, he’s not an auditor (although he was one for many years), but rather his job is to help entities do what’s needed both for cyber security and compliance – and he understands cyber security practices as well as he understands CIP, which is saying a lot.
And now I have revealed some information that I withheld when I wrote this post in January: the Region that currently has an Entity Development department is RF, and the guiding force behind the CIP part of that department is Lew! And I’ll repeat what I said then: All NERC Regions should implement an Entity Development department (which is a group that works with entities to help them understand the standards and comply with them, although in Lew’s case he works with entities as much on cyber security as on compliance).
If you don’t believe that RF actually does this for their entities (since some might interpret this as being a violation of Auditor Independence – excuse me while I genuflect), you should reflect on the second-to-last sentence of Lew’s article (which appears in all of his articles): “If you are an entity registered within RF and believe you need assistance in sorting your way through this or any compliance related issue, remember RF has the Assist Visit program.” Does your Region do this? Maybe you should threaten to move your utility to Cleveland or Pittsburgh if they refuse to consider doing it.
And – since I’ve never been one to leave well enough alone – I want to add that, if your region doesn’t do Entity Development (and it’s not inconceivable that the auditors could do it themselves, if they don’t want to set up a separate department), you should definitely ask them to start thinking about it. I believe that, with CIP-013, you (meaning a NERC entity) will definitely be at a disadvantage if your Region won’t review your Supply Chain Cyber Security Risk Management Plan before you implement it, as discussed at length (the only way I know how to discuss anything!) in the post referenced above. And for evidence of what can happen if you can’t have that review, see the sorry tale of CIP-014 audits, discussed in this post and this one.[i]
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. To discuss this, you can email me at the same address or call me at 312-515-8996.
[i] I have recently heard that the situation regarding CIP-014 audits in the Region involved in both these posts hasn’t changed, and that the entities are putting their hopes in the standard being revised. I don’t want to be seen as throwing cold water on those hopes, but I’ll point out that I haven’t even heard any talk of a new SAR being developed for doing that, let alone a drafting team being in place to consider the idea.