NERC Fundamentals and Compliance
November 17-18, 2021 | Online :: Central Time
Entities registered with the North American Electric Reliability Corporation (NERC) continue to address the complexities of NERC reliability standards implementation, on-going compliance and enforcement. Full audit schedules ensure the stakes remain high (as evidenced by the recent $10 million fine imposed on a Registered Entity). Critical Infrastructure Protection (CIP) standards involve an added level of complexity.
With an increasing number of generation and transmission projects being proposed and built, it’s important to understand the implications of being a NERC registered entity and the complicated and, often, costly compliance process. A host of important factors can significantly impact operations. One of the key tenets supporting compliance, or which can mitigate a penalty, is having a robust compliance program. To demonstrate a culture of compliance, a registered entity must show an enterprise-wide commitment to the process.
This course is an overview of NERC standards, compliance, and monitoring and will provide the necessary background for staff with compliance responsibilities to understand the concepts and complexities of NERC compliance to build a culture of compliance and reliability and prepare for audits. The course will help registered entities understand the background for the NERC standards, proven methods of compliance and how to best organize evidence to demonstrate compliance during an audit.
Learning Outcomes
- Define the role of FERC, NERC and Regional Entities
- Review the background for the NERC standards and discuss major recent revisions
- Explain how regional entities calculate violations
- Discuss how to comply with the most difficult standards
- Define a culture of compliance and its importance in the compliance monitoring and enforcement process
- Examine strategies to build an internal compliance program
- Examine the NERC CIP requirements
- Analyze the audit process and demonstrate strategies for success before, during, and after an audit
- Review emerging trends in NERC compliance including:
- Standards on Physical Security and Supply Chain Management
- Geomagnetic Disturbances
- Distributed Energy Resources
WEDNESDAY, NOVEMBER 17, 2021 : CENTRAL TIME
9:00 a.m. – 5:00 p.m.
Course Timing
Short breaks will be taken throughout the sessions
Overview of NERC Reliability Standards and Requirements
- NERC as the ERO
- Important definitions used in Reliability Standards
- Overview of entity registration
- Standards background and drafting process
- Results based standards
- Compliance and enforcement
- Lessons learned
- Technical rationale vs. implementation guides
- Standards efficiency review
- Risk-based compliance highlights
- Inherent risk assessment
- Internal controls evaluation
- Find, fix, track and report
- Sanction guidelines
- NERC compliance in practice
- Defining a culture of compliance and building, communicating and demonstrating a culture of compliance
- Role of a culture of compliance in mitigation
- Preparing for an audit: what to do before, during and after an on-site compliance audit
- Settlement process
- Managing documents and evidence
- Demonstrating a culture of compliance
THURSDAY, NOVEMBER 18, 2021 : CENTRAL TIME
9:00 a.m. – 12:00 p.m.
Course Timing
Short breaks will be taken throughout the sessions
- How to build, communicate and demonstrate a “culture of compliance”
- Culture of compliance in mitigation
- Preparing for an audit: what to do before, during and after an on-site compliance audit: successful strategies and avoiding common pitfalls
- Discuss the settlement process after a violation has been found
- Recognize how NERC compliance fits with other enterprise compliance needs and risk management
- Managing documentation and evidence
- Demonstrating a culture of compliance to auditors
NERC Critical Infrastructure Protection (CIP)
November 18-19, 2021 | Online :: Central Time
This session will provide an overview of the NERC CIP Reliability Standards. The electric grid in North America is at the top of the list of critical infrastructures maintained by Presidential Directive by the Department of Homeland Security and it is recognized that the remaining critical infrastructures will not function without a reliable supply of electricity. As a result, cyber and physical security for electric utilities is at the forefront of the legislators and regulators agenda following recent cyber and physical attacks in the US and elsewhere in the world.
To address these risks, the North American Electric Reliability Corporation (NERC) has developed and maintained a set of Critical Infrastructure Protection (CIP) standards that are mandatory and enforceable. These standards have undergone significant change since they were first adopted in FERC Order 706. These standards have been extended to include all Bulk Electric System Assets and their related Cyber Assets each categorized as High, Medium, and Lower Risk assets thereby extending the program to all registered entities and all bulk electric system assets at some level.
This course will provide a deep fundamental understanding of the NERC CIP standards including a history of their development, an understanding of the present standards, and a view of what is coming in future standard development. The course will also provide a detailed overview of each standard, its fundamental purpose, and the intent of each requirement.
Developing programs to meet the intent of the standard is challenging since compliance with the standards requires disciplines from several key corporate functions including electric system operations, information technology, corporate security, and human resources at a minimum. This course will also review organizational structures for successful implementation and their experiences. This course will also provide an overview of compliance and monitoring efforts that NERC will conduct for the CIP standards and is designed to give the necessary background for all staff to understand the concepts and complexities of NERC compliance in order to communicate and build a culture of compliance and reliability and prepare for upcoming CIP audits.
Learning Outcomes
- Review the background for the NERC Critical Infrastructure Standards and discuss major recent revisions
- Review the scope and purpose of the NERC Critical Infrastructure Protection (CIP) standards
- Examine the NERC CIP requirements: Current version and upcoming revisions
- Assess the confidentiality provisions of the CIP standards
- Explain how violations are determined and identify which CIP standards are the most violated and why
- Discuss the challenges faced by utilities in defining a compliance program across the corporate functions necessary for CIP compliance (operations, information technology, corporate security, human resources, etc.)
- Define a culture of compliance and its importance in the compliance monitoring and enforcement process
- Examine strategies to build an internal CIP compliance program in such a diverse environment
- Analyze the audit process for CIP standards and demonstrate strategies for success before, during, and after an audit
THURSDAY, NOVEMBER 18, 2021 : CENTRAL TIME
1:00 – 4:00 p.m.
Course Timing
Short breaks will be taken throughout the sessions
- History and background of NERC CIP
- Reliability standards
- CIP Version 5 – New definitions
- Review of the intent and purpose of each standard
- Understanding each of the requirements
- Departments involved in meeting the intent
- Bulk electric system (BES) cyber system categorization
- Security management controls
- Personnel & training
- Electronic security perimeters
FRIDAY, NOVEMBER 19, 2021 : CENTRAL TIME
9:00 a.m. – 4:00 p.m.
Course Timing
Short breaks will be taken throughout the sessions
- Physical security plan
- Audit process and preparation
- System security management
- Incident reporting/response planning
- Recovery plans for BES cyber systems
- Organizing for compliance
- Configuration change management and vulnerability assessments
- Information protection
- Managing documentation and evidence
- Tools and resources
- “Tools” and NERC CIP compliance
- Active vulnerability assessment tools
- Danger: Active scanning of ICS environments is risky business!
- Emerging issues and new standards