Six Critical Elements to Achieve Economies in NERC CIP Compliance

The interconnected computer systems and networks of electric, natural gas, and water distribution systems pose a significant risk to the nation’s critical infrastructure. This has put utilities under the microscope as they face increasing pressure for accountability regarding IT risk and compliance. The most taxing compliance demands on utilities stem from the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements. And as of July 1, 2010 these utilities face the next step in being auditably compliant, meaning organizations must meet the full intent of each CIP requirement and prove compliance to an auditor. It is no longer sufficient to be substantially or even fully compliant internally. Utilities that cannot demonstrate compliance face fines of up to $1 million per day per CIP violation. To achieve auditable compliance requires the utility to undergo internal audits, spot checks, and the ability to provide documented evidence of compliance or non-compliance to the CIP standards. This paper highlights the critical elements utilities must keep in mind to achieve economies in NERC CIP compliance as well other mandates.