Wednesday, May 11, 2016

An Auditor Comments on a Recent Post

After my recent post on my dialog with Steve Parker – where the subject was whether NERC rules changes would be needed to implement the new audit regime I described in this post – an auditor emailed me the comments below:

“When we audit compliance with the CIP (or any NERC) Standards, we audit to the language of the requirement, tempered by any official guidance that may be available.  For a CIP Standard, that guidance includes the Guidelines and Technical Basis section of the Standard, the NERC CIP Lessons Learned, and the NERC CIP Frequently Asked Questions.  When we audit, we can make one of four determinations for each Requirement; No Finding, Possible Violation, Area of Concern, or Recommendation.

“A determination of No Finding does not mean the Registered Entity is compliant, just that the audit team did not find any issues of non-compliance with the evidence that was examined.  As the audit team does not examine every possible bit of evidence, we cannot make a determination of full compliance.  We strive to examine sufficient evidence to make a reasonable determination, nothing more.  The opposite of No Finding is a finding, and that is where the other three options come into play.

“A determination of Possible Violation is made when the audit team finds the Registered Entity is not compliant with the Requirement.  That could include the failure to patch a single member component of a BES Cyber System as referenced in your blog.  If a Registered Entity is expected to do something by the Requirement and fails to do so, no matter how insignificant, the Entity is non-compliant.  The determination is initially termed a Possible Violation until Enforcement reviews the facts and circumstances of the finding and either confirms or dismisses the finding.  A confirmed violation is then processed by Enforcement and can result in a number of possible outcomes, ranging from a Compliance Exception to a significant penalty, such as the $1.7 million fine that was recently reported.

“A determination of an Area of Concern is, and should be considered by the Registered Entity as a ‘fair warning.’ The audit team may write an Area of Concern for a number of reasons.  If the Registered Entity did not have an issue of non-compliance this time but the audit team is concerned that the Entity’s processes and procedures are such that the Entity may fall into non-compliance, the audit team will find an Area of Concern.  If the Registered Entity was non-compliant at some point during the audit period, but had remedied the failure and is currently OK, the audit team may find an Area of Concern as opposed to calling a Possible Violation.  Technically, the Registered Entity is non-compliant for the audit period and a Possible Violation is fully warranted.  The audit team, using its discretion, may determine to issue the Area of Concern, in effect warning the Entity to continue to manage its processes to stay in compliance. 

“The audit team may also choose to find an Area of Concern in lieu of a Possible Violation for a current issue of non-compliance, when the risk to the Bulk Electric System is so slight and the Registered Entity is reasonably expected to act promptly to remedy the concern.  Again, the audit team would be proper in finding a Possible Violation for technical non-compliance, but uses its discretion to determine a lesser finding.  This discretion is solely that of the audit team, which may consult with Enforcement before settling on the determination; the Registered Entity is well advised to not try to argue or persuade the audit team to downgrade a Possible Violation.  And, the Registered Entity should take an Area of Concern seriously.  While an Area of Concern is not processed through Enforcement, it is recorded in the audit report and does become part of the Registered Entity’s compliance history.  If the audit team finds a substantively similar issue at the next audit, a Possible Violation will likely be found if there is any issue of non-compliance during the new audit period.

“A determination of a Recommendation is exactly that, a recommendation for consideration by the Registered Entity.  Unlike an Area of Concern, where the audit team expects the Registered Entity to take some action to improve performance, a Recommendation is a suggestion for improvement.  The audit team may make a suggestion for improving the efficiency of a process, or for the implementation of a best practice that will increase the Registered Entity’s overall cybersecurity posture.  There are no down-road compliance implications if the Registered Entity evaluates the Recommendation and chooses to not implement it.  Issuing Recommendations is the audit team’s way of encouraging Registered Entities to focus on protecting their Cyber Assets and not just on compliance.

“With the onset of CIP Version 5, there is another use for both the Area of Concern and the Recommendation.  As you have pointed out on numerous occasions, there are some issues of ambiguity with the V5 Standards as written.  A number of these issues have been identified by NERC and the Regions, such as through the V5TAG Transfer Document and submitted Requests for Interpretation.  While NERC and the Regions may have a consensus on the expectations of an ambiguous Requirement, the audit team will likely find an Area of Concern in lieu of a Possible Violation if the Registered Entity’s actions differ from the expectations of the audit team.  This discretion will depend, in part, on how well the audit team believes the Registered Entity put forth a good faith effort and can justify its position.  Like most other Areas of Concern, the Registered Entity is put on notice that it may be non-compliant once the Requirement has been clarified.  The Registered Entity is well advised to closely monitor the movement to resolution and to take all appropriate action to achieve compliance as necessary by the time the issue is fully resolved.  Additionally, there are gaps in the Standards.  When an audit team finds the Registered Entity is not in Possible Violation of the Requirement as written, but there is a gap that poses a risk to the reliability of the Bulk Electric System, the audit team is expected to find a Recommendation and to document the specifics of the gap in the audit report.  As the audit reports are reviewed by NERC and FERC, these identified gaps will hopefully be scheduled for future standards development action.”

(back to Tom)
Besides providing some good information on audits, this auditor is also making a couple good points:

  1. In the post referenced at the top of this one, I referred to the auditors issuing Areas of Concern to point out a way for the entity to improve its cybersecurity. I should have really called these findings Recommendations.
  2. Note that the auditor says “There are no down-road compliance implications if the Registered Entity evaluates the Recommendation and chooses not to implement it.” This reinforces what I said in the previous post: that I think Steve Parker’s fears that entities will be expected to comply with Recommendations are exaggerated. But there’s no way I (or even the auditor) can say with 100% certainty that this will never happen.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

No comments:

Post a Comment