I have more
than once thought of renaming this blog as “Lew Folkerth’s Blog (assisted by
Tom Alrich)”. I’m considering this more seriously now, having just read Lew’s
latest Lighthouse
article in the RF newsletter, on CIP Exceptional Circumstances.
I think what
I like so much about Lew’s articles is that he has really thought about
whatever subject he is discussing, and makes observations I would never make in
100 years. Of course, he does more than think about these things, since his job
at RF is in Entity Development. That is, he’s not an auditor (although he was one
for many years), but rather his job is to help entities do what’s needed both
for cyber security and compliance – and he understands cyber security practices
as well as he understands CIP, which is saying a lot.
And now I
have revealed some information that I withheld when I wrote this
post in January: the Region that currently has an Entity Development department
is RF, and the guiding force behind the CIP part of that department is Lew! And
I’ll repeat what I said then: All NERC Regions should implement an Entity
Development department (which is a group that works with entities to help them
understand the standards and comply with them, although in Lew’s case he works
with entities as much on cyber security as on compliance).
If you don’t
believe that RF actually does this for their entities (since some might
interpret this as being a violation of Auditor Independence – excuse me while I
genuflect), you should reflect on the second-to-last sentence of Lew’s article
(which appears in all of his articles): “If you are an entity registered within
RF and believe you need assistance in sorting your way through this or any
compliance related issue, remember RF has the Assist Visit program.” Does your
Region do this? Maybe you should threaten to move your utility to Cleveland or
Pittsburgh if they refuse to consider doing it.
And – since
I’ve never been one to leave well enough alone – I want to add that, if your
region doesn’t do Entity Development (and it’s not inconceivable that the
auditors could do it themselves, if they don’t want to set up a separate
department), you should definitely ask them to start thinking about it. I
believe that, with CIP-013, you (meaning a NERC entity) will definitely be at a
disadvantage if your Region won’t review your Supply Chain Cyber Security Risk
Management Plan before you implement it, as discussed at length (the only way I
know how to discuss anything!) in the post referenced above. And for evidence
of what can happen if you can’t have that review, see the sorry tale of CIP-014
audits, discussed in this
post and this
one.[i]
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
I have recently heard that the situation regarding CIP-014 audits in the Region
involved in both these posts hasn’t changed, and that the entities are putting
their hopes in the standard being revised. I don’t want to be seen as throwing
cold water on those hopes, but I’ll point out that I haven’t even heard any
talk of a new SAR being developed for doing that, let alone a drafting team
being in place to consider the idea.
No comments:
Post a Comment