ERE Information Security Auditors
Home | Site Map | Contact Us | Blog | Cyber Security News | Resource Center
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Electricity Utilities: Welcome to the World of Information Security Compliance

By Ron Lepofsky, CISSP, B.A.SC. (mechanical eng)

This article attempts to cut through the dizzying array of acronyms, agency names, and renamed standards to identify the governing bodies that determine and enforce compliance.

Executive Overview

Just as there are various widely applicable information security standards such as ISO 17799, COBIT, and ISF, there is also a North American set of information security standards for the electricity generation/distribution industry. The sponsors for this standard are the U.S. Federal Departments of Energy and Homeland Security, which want a stable dependable electricity infrastructure across North America.

This article attempts to cut through the dizzying array of acronyms, agency names, and renamed standards, to identify for the reader the governing bodies that determine and enforce compliance—as well as their "teeth" to enforce compliance, and two concurrent timetables for meeting compliance by market participant category.

Many readers will be surprised to learn they are already late or remiss with their compliance obligations, and that final compliance requirements are far earlier than they understood.

The Players

In response to the cascading electricity supply failure of August 2003 and to terrorism threats, the federal Energy Policy Act of 2005 (EPAct)1 appointed the Federal Energy Regulatory Commission (FERC)2 to create an organization to ensure a reliable source of electricity for North America. This oversight organization is to be named the Electric Reliability Organization (ERO). The specific rule is titled FERC 18 CFR 39, Docket RMO5 -30-000, Order number 762.3

The act mandates a process for various applicant organizations to register with a selection committee to be considered for gaining the position of ERO. North American Electric Reliability Council (NERC) is the only registrant for the position of ERO. NERC's stated goal is to work with U.S. and Canadian legislators, to become certified and to begin operating as the ERO by January 1, 2007.4

Jurisdiction will be all of North America, with collaboration from Canadian counterparts to be provided primarily by each of the provincial governments. Canada's provinces and the National Energy Board5 have jurisdiction over electricity, unlike the USA, where electricity is under federal jurisdiction.

For example, the Ontario Ministry of Energy is responsible for electricity legislation in Ontario, and sponsored the Ontario Electricity Act of 19986, referring to NERC or its successor as the source of new regulations which will regulate market participants.

The specific relevant sections are under definitions: "standards authority" means the North American Electric Reliability Council, any successor thereof, or any other agency or body that recommends standards or criteria relating to the reliability of transmission systems; and in section 5.(1) (d) to participate in the development by any standards authority of standards and criteria relating to the reliability of transmission systems; and in Section 34.(1) 3. To implement standards or criteria of a standards authority.

The Canadian Electricity Association7 is the advocate for the Canadian electricity industry, and interfaces with both the Canadian federal government and each of the provincial governments on the industry's behalf on issues such as NERC compliance.

Teeth for Enforcing Compliance

It will be the responsibility of the ERO to create "teeth" or penalties for non-compliance with their information security standards, and have the authority to enforce sanctions.

Regulatory enforcement in the U.S. will be straightforward, via the ERO, presumably NERC. In Canada, enforcement will flow to the provincial Independent Market Operators (IMOs), such as the Independent Electricity System Operator (IESO)8 in Ontario. However, Canadian provincial jurisdictions have the option of delegating enforcement to the ERO and to ERO Regional Councils, as an alternative to performing their own enforcement.

Thus, enforcement does not automatically flow to provincial IMOs. Regulatory compliance will also flow from contractual arrangements between market participants, from those responsible for compliance to those that are not yet responsible for compliance.

There is also the motivation of self-preservation causing participants to comply voluntarily, as no entity wants to be the cause or a conveyor of a catastrophic availability meltdown.

Timetables

Before identifying the current NERC timetables for compliance, it is useful for purposes of clarity to identify several of the NERC standards:

  1. NERC 1200, urgent action. This is a current compliance standard.9
  2. CIP-002-1 through CIP-009-1, draft 4. This is the most current standard, but still under review.10
  3. NERC 1300 is an older standard. It was the update of NERC 1200. NERC 1300 was then replaced by CIP-002-1 through CIP-009-1.

The first actual timetable for compliance deals with the ratification of a final CIP-002 standard, which has a stated completion date of June 1, 2006. Figure 1 identifies NERC's proposed schedule.11

CIP—002 Development Plan
1 Host a web cast for NERC's ballot body January 31, 2006
2 First ballot of Standard CIP–002–1 February 15—February 24, 2006
3 Respond to comments February 25—March 13, 2006
4 Post for recirculation ballot March 14—March 24, 2006
5 30-day posting before board adoption March 25—April 24, 2006
6 Board adopts Standard CIP–002–1 May 2, 2006
7 Effective date June 1, 2006

Figure 1: CIP—002 Development Plan

The second concurrent activity deals with the selection of the ERO. Figure 2 identifies key times associated with this process.

CIP—002 Development Plan
Target Date Jan 1,2007 Decision by FERC to name NERC as national ERO
04-Feb-06 FERC establishes guidelines for becoming ERO
04-Apr-06 Final date to apply to become ERO

Figure 2: FERC Selection of the ERO

Compliance Schedule by Responsible Entity Category

NERC has published a granular description of compliance requirements by responsible entity category. A summary of this phased compliance schedule is shown in Figure 3.

Entity Classification Deadline to Comply Standard Self-Certify or
not self-certify
Compliance Goal
Balancing Authorities, Transmission Operators June 31, 2007 NERC 1200 Urgent Action Self Certify Begin work or substantially complete work
Balancing Authorities, Transmission Operators June 31, 2007 CIP-002 through CIP-009 Not required to self certify to NERC 1200 Begin work or substantially complete work
Interchange Authorities, Transmission Owners, Generator Owners, Generator Operators, and Load-Serving Entities December 31, 2006 CIP-002 through CIP-009 All Begin work or substantially complete work

Figure 3: Summary Compliance Schedule by Responsible Entity Category

Conclusion

December 31, 2006 is an important compliance date for Interchange Authorities, Transmission Owners, Generator Owners, Generator Operators, and Load-Serving Entities. Following shortly is another compliance date of June 31, 2007 for Balancing Authorities and Transmission Operators. Compliance may also flow to market participants in contractual relationships with organizations obligated to comply.

Some organizations have misinterpreted the compliance timetable and have erroneously assumed 2010 to be the start date for their obligations. Closer scrutiny to the NERC timetable will reveal that time is of the essence for responsible entities to be well underway in their compliance efforts for NERC 1200 or for CIP-002-1 through CIP-009-1.

Notes

(1) http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h6enr.txt.pdf
(2) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(3) Search ERO to find http://www.ferc.gov/industries/electric/indus-act/reliability/E-1-overview.pdf
(4) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(5) NEB has jurisdiction over international power lines and Electricity Exports. http://www.neb-one.gc.ca/clf-nsi/index.html
(6) http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/98e15_e.htm
(7) Contact ERE for a copy of the document, which was previously posted at http://www.canelect.ca/en/home.html
(8) http://www.theimo.com/
(9) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(10) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(11) Contact ERE for a copy of the document, which was previously posted at www.nerc.com

About the Author

Ron Lepofsky is the President and CEO of ERE Information Security Auditors. ERE provides services to electricity generation/transmission/distribution participants, large publicly traded corporations, the financial industry, manufacturing/distribution organizations, and to large law firms. ERE clients span Canada, USA and Europe.

 

 
 

Contact Us

905 764 3246
info@ere-security.ca

 
 
  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
   
  Daily Cyber Security News
 
Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | Blog | Cyber Security News | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button