Commvault partners with Pure Storage » Cisco Live, Melbourne, AU and Tinton Falls, NJ: Commvault has announced the integration of its Commv... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTOR... » A treatise on pastoral jihadism, islamism, arabism and cultural imperialism in Nigeria (Ephesians ... Where was Aisha Buhari when idiot Kumapayi flagr... » "Clip-clip..clip-clip...Did you not hear when BABA DAURA say women's place is in the kitchen?" ... UKCloud launches Disaster Recovery to the Cloud se... » London: UKCloud has announced the launch of Disaster Recovery to the Cloud, a self-service replicati... ADG Holdings bolsters security protection with Tra... » SAN MATEO, CA : TrapX Security™ has announced that ADG Holdings, a provider of proprietary trading a... ExtraHop combines analytics and low-cost storage... » London, UK: ExtraHop has announced several major platform enhancements as part of version 6.2. These... DEFENCE MINISTER MEETS TEENAGERS TAKING PART ... » Defence Minister Earl Howe today met teenagers at the Army’s first ‘Supercamp’, a new initiative whi... SONG OF THE SEASON » Also, visit: www.scorpionnewscorp.com APC, SO-SO TALK-TALK, SO-SO MOTIONS-MOTIONS, NO ACTION ... EEMBC and prpl align to drive use of hypervisors t... » SANTA CLARA, CALIF: Recently the prpl Foundation and EEMBC announced a formal partnership to advance... Qognify helps Navi Mumbai in the making of a safe ... » Qognify has announced the successful implementation of its market-leading Safe City solution in Navi...

CLICK HERE TO

SOCIAL BOOKMARK

Interview with John D. Rhea, Compliance Officer at OGE Energy

According to the Department of Homeland Security, cyber security threats to the electric utility industry are increasing (http://www.infosecisland.com/blogview/21201-DHS-Industrial-ControlSystems-Threats-Increasing.html). To meet these threats, NERC is increasing the Critical Infrastructure Protection (CIP) regulatory requirements that attempt to ensure that organizational networks and facilities are meeting basic standards in this area. Thus, cyber security and compliance professionals across the industry are currently facing many challenges in both achieving compliance at a time in which requirements are rapidly evolving, and ensuring that their systems are well protected from cyber attacks that are both more numerous and more sophisticated.

Vigilance had the privilege to hear from John D. Rhea before the upcoming Utility Cyber Security & CIP Compliance Conference, January 15-17, 2013 in Atlanta, GA. Below he shares with us his perspective on managing compliance documentation to meet CIP requirements. The responses below strictly reflect the views and beliefs of John D. Rhea, and not necessarily those of OGE Energy.

Vigilance: What have you found to be the key challenges to successfully managing CIP evidence documentation?

JDR:

a) The three most important things to remember when documenting compliance with NERC

CIP requirements are as follows:

(1) Make sure you have documented the universe of NERC CIP compliance responsibilities and assigned individuals to fulfill each of those responsibilities

(2) Make sure you have no gaps in documentation in terms of time and process

(3) Wherever possible standardize documentation

Vigilance: How have you met these challenges?

JDR:

b) Every NERC CIP requirement has been turned into what we call a Compliance Event and has been assigned a responsibility matrix that includes at least one subject matter expert, a management level employee, and an officer to assure adequate resources will be available to complete the requirement.  A compliance coordinator has been assigned to each Compliance Event to assist in the creation of standardized documentation where appropriate and review evidence for quality control purposes.

Vigilance: Given your years of experience, what do you see for the future of CIP compliance beyond version 5?

JDR:

c) Critical Infrastructure Protection must evolve so that it is no longer based on compliance with one size fits all rules, but instead is focused on assessing the risk to the bulk electric system facing each entity and each entity addressing those risks on both a tactical and a strategic basis.