NERC jolts energy company for 100+ violations and $10 million fine
The North American Electric Reliability Corporation (NERC) recently fined an energy company $10 million for over 100 violations to the regulatory authority’s Critical Infrastructure Protection (CIP) standards. It’s the biggest fine NERC has ever handed out for CIP violations.
Compliance efforts entail numerous tasks like documentation, assessments, remediation and reporting. This requires cross-departmental cooperation and management support, which were lacking at the energy company. In its findings report, NERC cited four main reasons why the energy company’s security failures were due to mismanagement.
- “Lack of management engagement, support, and accountability relating to the CIP compliance program;”
- “Disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation, and ineffective oversight and training;”
- “Organizational silos in the form of a lack of communication between management levels within the Companies, which contributed to a lack of awareness of the state of security and compliance; and”
- “Organizational silos across business units that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices.”
Since these findings relate to management and organizational structure, it points directly to a need for leadership to be more hands-on. Involved leadership would help ensure management engagement, support and accountability. Organizations with silo structures need to bring people and processes together and offer ways for departments to collaborate and communicate. Also, following compliance best practices would be helpful. Oversight and training are by-products of a well-run compliance program.
Compliance with a defensible record
Whether it’s a regulation or standard, your goal is to prove compliance. That’s easier with a GRC platform that enables you to show who did what, when, how and why. Regulations, standards, even contracts can be stored in the platform’s database and linked to associated controls, policies, procedures, assets, risks, third parties and more. The right platform not only aids compliance, it also streamlines activities and can help lower the risk of citations and fines.
Recall the report’s mention of organizational silos preventing collaboration between business units and a failure in communications? If the platform used for compliance can also perform integrated risk management, it can bridge silos so stakeholders in every department can work together and stay on task. Management is kept in the loop with single-plane-of-glass reports and dashboards and can drill down into supporting data.
Hopefully, this news is a wakeup call for all energy firms to revisit how they manage compliance, whether it’s NERC-CIP or another regulation, and our electrical grid is more secure.
Learn some practical steps to getting in control of PCI compliance.
March 1, 2019 is the deadline for covered entities to comply with the final phase of 23 NYCRR 500. Is your organization ready?
A business unit wants to hire a vendor that doesn’t meet policy standards and requests an exception. Approve or deny the exception request? Learn strategies about improving policy exceptions.