NERC jolts energy company for 100+ violations and $10 million fine
The North American Electric Reliability Corporation (NERC) recently fined an energy company $10 million for over 100 violations to the regulatory authority’s Critical Infrastructure Protection (CIP) standards. It’s the biggest fine NERC has ever handed out for CIP violations.
Compliance efforts entail numerous tasks like documentation, assessments, remediation and reporting. This requires cross-departmental cooperation and management support, which were lacking at the energy company. In its findings report, NERC cited four main reasons why the energy company’s security failures were due to mismanagement.
- “Lack of management engagement, support, and accountability relating to the CIP compliance program;”
- “Disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation, and ineffective oversight and training;”
- “Organizational silos in the form of a lack of communication between management levels within the Companies, which contributed to a lack of awareness of the state of security and compliance; and”
- “Organizational silos across business units that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices.”
Since these findings relate to management and organizational structure, it points directly to a need for leadership to be more hands-on. Involved leadership would help ensure management engagement, support and accountability. Organizations with silo structures need to bring people and processes together and offer ways for departments to collaborate and communicate. Also, following compliance best practices would be helpful. Oversight and training are by-products of a well-run compliance program.
Compliance with a defensible record
Whether it’s a regulation or standard, your goal is to prove compliance. That’s easier with a GRC platform that enables you to show who did what, when, how and why. Regulations, standards, even contracts can be stored in the platform’s database and linked to associated controls, policies, procedures, assets, risks, third parties and more. The right platform not only aids compliance, it also streamlines activities and can help lower the risk of citations and fines.
Recall the report’s mention of organizational silos preventing collaboration between business units and a failure in communications? If the platform used for compliance can also perform integrated risk management, it can bridge silos so stakeholders in every department can work together and stay on task. Management is kept in the loop with single-plane-of-glass reports and dashboards and can drill down into supporting data.
Hopefully, this news is a wakeup call for all energy firms to revisit how they manage compliance, whether it’s NERC-CIP or another regulation, and our electrical grid is more secure.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
Learn about how HIPAA Compliance plays a role in protecting against cybercriminals.