Here's a description:
More than
was the case with the previous CIP versions, NERC CIP version 5 includes a
number of “implicit requirements” – i.e., steps that an entity should take in
order to comply with the written requirements; these implicit requirements
aren’t themselves explicitly stated in the standards. They occur in many of the
CIP version 5 standards, although there is a large concentration in
CIP-002-5.1. Complying with them is as important as it is for the “explicit”
requirements.
Tom Alrich and
Matt Light of Deloitte Advisory will lead the discussion of this issue. Matt and Tom will present the implicit
requirements they have identified so far; workshop attendees are welcome to
bring up others they have identified. The workshop is intended to be completely
interactive, and the goal is to identify and discuss all of the implicit
requirements in CIP v5, as well as how entities should “comply” with them. This
will help NERC entities have a full picture of what they actually have to do to comply with CIP version 5.
At the end of the week before the Summit, all workshop
registrants will be emailed the preliminary list of implicit requirements,
including discussion of each. This list will be revised after the workshop, and
may be revised in the future as well; all workshop registrants will receive
these updates.
Tom Alrich has been helping NERC
entities comply with NERC CIP since 2008, first with Encari LLC and then with
Honeywell Process Solutions. Tom is now part of Deloitte Advisory, where he is
a Manager in the Cyber Risk Services practice, specializing in
Power and Utilities. Tom started
attending and writing about the NERC CSO 706 (CIP) Standards Drafting Team
meetings in 2010, as CIP versions 4 and 5 were drafted. Since early 2013, he
has written a popular blog on
developments in implementation and interpretation of CIP version 5. Tom has a Bachelor’s degree in Economics from
the University of Chicago and lives in Evanston, Illinois.
Matt Light is a Manager within Deloitte
Advisory’s Cyber Risk Services practice. He has over 8 years of experience
working with electric power utilities on critical infrastructure protection and
cyber risk management, first with the US Department of Energy (DoE) and more
recently with NERC. His projects have included development of frameworks for
building a cybersecurity program and measuring the maturity of the program
relative to industry best practices. He also has considerable experience with
collaborative efforts between the US government and industry, focusing on cyber
threat information sharing and analysis capabilities.
There is a $300 fee for the workshop, which goes entirely to EnergySec - a good cause! I hope you can join us for this. To register for the Summit and the workshop, or to get more information, go here.
No comments:
Post a Comment