As I announced in this post, Matt Light and I will be doing a workshop titled "Exploring the 'Implicit Requirements' in NERC CIP version 5 – What’s not stated as a requirement is just as important as what is" on the first day of EnergySec’s upcoming Security and Compliance Summit in Arlington, VA on Sept. 14.
While we have had a good signup so far, there is still room for more. I hope you’ll consider joining us. I’m certainly discovering a lot of “requirements” that are “hidden” in CIP v5 and I’m looking forward to discussing them, as well as hearing what other people have discovered.
Here’s the full story:
More than was the case with the previous CIP versions, NERC CIP version 5 includes a number of “implicit requirements” – i.e., steps that an entity should take in order to comply with the written requirements; these implicit requirements aren’t themselves explicitly stated in the standards. They occur in many of the CIP version 5 standards, although there is a large concentration in CIP-002-5.1. Complying with them is as important as it is for the “explicit” requirements.
Tom Alrich and Matt Light of Deloitte Advisory will lead the discussion of this issue. Matt and Tom will present the implicit requirements they have identified so far; workshop attendees are welcome to bring up others they have identified. The workshop is intended to be completely interactive, and the goal is to identify and discuss all of the implicit requirements in CIP v5, as well as how entities should “comply” with them. This will help NERC entities have a full picture of what they actually have to do to comply with CIP version 5.
At the end of the week before the Summit, all workshop registrants will be emailed the preliminary list of implicit requirements, including discussion of each. This list will be revised after the workshop, and may be revised in the future as well; all workshop registrants will receive these updates.
Tom Alrich has been helping NERC entities comply with NERC CIP since 2008, first with Encari LLC and then with Honeywell Process Solutions. Tom is now part of Deloitte Advisory, where he is a Manager in the Cyber Risk Services practice, specializing in Power and Utilities. Tom started attending and writing about the NERC CSO 706 (CIP) Standards Drafting Team meetings in 2010, as CIP versions 4 and 5 were drafted. Since early 2013, he has written a popular blog on developments in implementation and interpretation of CIP version 5. Tom has a Bachelor’s degree in Economics from the University of Chicago and lives in Evanston, Illinois.
Matt Light is a Manager within Deloitte Advisory’s Cyber Risk Services practice. He has over 8 years of experience working with electric power utilities on critical infrastructure protection and cyber risk management, first with the US Department of Energy (DoE) and more recently with NERC. His projects have included development of frameworks for building a cybersecurity program and measuring the maturity of the program relative to industry best practices. He also has considerable experience with collaborative efforts between the US government and industry, focusing on cyber threat information sharing and analysis capabilities.
Matt has a Master of Public Policy degree from Georgetown University and a Bachelor’s degree in Materials Engineering from Rensselaer Polytechnic Institute.
There is a $300 fee for the workshop, which goes entirely to EnergySec - a good cause! I hope you can join us for this. To register for the Summit and the workshop or to get more information, go here.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.