As I
announced in this
post, Matt Light and I will be doing a workshop titled "Exploring
the 'Implicit Requirements' in NERC CIP version 5 – What’s not stated as a
requirement is just as important as what is" on the first day of
EnergySec’s upcoming Security and Compliance Summit in Arlington, VA on Sept.
14.
While we
have had a good signup so far, there is still room for more. I hope you’ll
consider joining us. I’m certainly discovering a lot of “requirements” that are
“hidden” in CIP v5 and I’m looking forward to discussing them, as well as
hearing what other people have discovered.
Here’s the
full story:
More than
was the case with the previous CIP versions, NERC CIP version 5 includes a
number of “implicit requirements” – i.e., steps that an entity should take in
order to comply with the written requirements; these implicit requirements
aren’t themselves explicitly stated in the standards. They occur in many of the
CIP version 5 standards, although there is a large concentration in
CIP-002-5.1. Complying with them is as important as it is for the “explicit”
requirements.
Tom Alrich
and Matt Light of Deloitte Advisory will lead the discussion of this
issue. Matt and Tom will present the implicit requirements they have
identified so far; workshop attendees are welcome to bring up others they have
identified. The workshop is intended to be completely interactive, and the goal
is to identify and discuss all of the implicit requirements in CIP v5, as well
as how entities should “comply” with them. This will help NERC entities have a
full picture of what they actually have to do to comply with
CIP version 5.
At the end
of the week before the Summit, all workshop registrants will be emailed the
preliminary list of implicit requirements, including discussion of each. This
list will be revised after the workshop, and may be revised in the future as
well; all workshop registrants will receive these updates.
Tom
Alrich has been helping NERC entities comply with NERC CIP since 2008,
first with Encari LLC and then with Honeywell Process Solutions. Tom is now
part of Deloitte Advisory, where he is a Manager in the Cyber Risk Services
practice, specializing in Power and Utilities. Tom started attending and
writing about the NERC CSO 706 (CIP) Standards Drafting Team meetings in 2010,
as CIP versions 4 and 5 were drafted. Since early 2013, he has written a
popular blog on
developments in implementation and interpretation of CIP version 5. Tom
has a Bachelor’s degree in Economics from the University of Chicago and lives
in Evanston, Illinois.
Matt
Light is a Manager within Deloitte Advisory’s Cyber Risk Services
practice. He has over 8 years of experience working with electric power
utilities on critical infrastructure protection and cyber risk management,
first with the US Department of Energy (DoE) and more recently with NERC. His
projects have included development of frameworks for building a cybersecurity
program and measuring the maturity of the program relative to industry best
practices. He also has considerable experience with collaborative efforts
between the US government and industry, focusing on cyber threat information
sharing and analysis capabilities.
Matt has a
Master of Public Policy degree from Georgetown University and a Bachelor’s
degree in Materials Engineering from Rensselaer Polytechnic Institute.
There is a
$300 fee for the workshop, which goes entirely to EnergySec - a good cause! I
hope you can join us for this. To register for the Summit and the workshop or
to get more information, go here.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment