Note from Tom: If you’re only looking for
today’s pandemic post, go to my new blog (and if you’re not
subscribing to that blog, please sign up for it. This blog will increasingly be
devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post
the pandemic posts here as well - they just won’t get picked up by the email
feed on days when I post on both topics). But if you’re looking for my
cyber/NERC CIP posts, you’re come to the right place.
There’s no
question that the current pandemic is going to fundamentally change much of
American life. But I must admit that – to the extent I thought about it at all
- I thought NERC audits would probably be about the last thing to change, and
only then after other fundamentals of American life like the love of baseball
and apple pie.
However, in
response to my Friday post
discussing how NERC had pushed all audits back to September (from June), Kevin
Perry, former chief CIP auditor of the SPP Regional Entity, wrote to me to say:
“Even if the
states reopen for business, the virus will not magically go away. I would like NERC to change the CMEP to allow
for remote audits regardless of the state of the virus. During an on-site audit, the vast majority of
time involves the auditors and the entity staff sitting in a room facing each
other. That can be done just as easily
via a secure virtual meeting. All you
need to do is make sure the person speaking is close to the
phone/microphone. Forcing the audit team
to go onsite just because the entity is a BA, TOP, or RC makes no sense for
many audits.
“There are
some requirements that need to be inspected.
If those requirements are included in the scope of the audit, then going
onsite may be necessary. Alternatively,
a virtual tour using a camera-enabled webinar or other virtual tool (even the
iPhone FaceTime) could be used to perform a guided real-time inspection. The audit teams were already considering
using a video tour of sampled assets containing low impact BCS to audit the
physical access controls rather than driving all over the countryside to look
at a chain and padlock in person.”
If NERC
audits might change, what’s next? Maybe we’ll replace red, white and blue with
mauve, tope and Basic Black. The floodgates have opened!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment