After my
recent post
on my dialog with Steve Parker – where the subject was whether NERC rules
changes would be needed to implement the new audit regime I described in this
post – an auditor emailed me the comments below:
“When we audit compliance with the CIP (or
any NERC) Standards, we audit to the language of the requirement, tempered by
any official guidance that may be available.
For a CIP Standard, that guidance includes the Guidelines and Technical
Basis section of the Standard, the NERC CIP Lessons Learned, and the NERC CIP
Frequently Asked Questions. When we
audit, we can make one of four determinations for each Requirement; No Finding,
Possible Violation, Area of Concern, or Recommendation.
“A determination of No Finding does not mean
the Registered Entity is compliant, just that the audit team did not find any
issues of non-compliance with the evidence that was examined. As the audit team does not examine every
possible bit of evidence, we cannot make a determination of full compliance. We strive to examine sufficient evidence to
make a reasonable determination, nothing more.
The opposite of No Finding is a finding, and that is where the other
three options come into play.
“A determination of Possible Violation is
made when the audit team finds the Registered Entity is not compliant with the
Requirement. That could include the
failure to patch a single member component of a BES Cyber System as referenced
in your blog. If a Registered Entity is
expected to do something by the Requirement and fails to do so, no matter how
insignificant, the Entity is non-compliant.
The determination is initially termed a Possible Violation until
Enforcement reviews the facts and circumstances of the finding and either
confirms or dismisses the finding. A
confirmed violation is then processed by Enforcement and can result in a number
of possible outcomes, ranging from a Compliance Exception to a significant
penalty, such as the $1.7 million fine that was recently reported.
“A determination of an Area of Concern is,
and should be considered by the Registered Entity as a ‘fair warning.’ The
audit team may write an Area of Concern for a number of reasons. If the Registered Entity did not have an
issue of non-compliance this time but the audit team is concerned that the
Entity’s processes and procedures are such that the Entity may fall into
non-compliance, the audit team will find an Area of Concern. If the Registered Entity was non-compliant at
some point during the audit period, but had remedied the failure and is
currently OK, the audit team may find an Area of Concern as opposed to calling
a Possible Violation. Technically, the
Registered Entity is non-compliant for the audit period and a Possible
Violation is fully warranted. The audit
team, using its discretion, may determine to issue the Area of Concern, in
effect warning the Entity to continue to manage its processes to stay in
compliance.
“The audit team may also choose to find an
Area of Concern in lieu of a Possible Violation for a current issue of
non-compliance, when the risk to the Bulk Electric System is so slight and the
Registered Entity is reasonably expected to act promptly to remedy the
concern. Again, the audit team would be
proper in finding a Possible Violation for technical non-compliance, but uses
its discretion to determine a lesser finding.
This discretion is solely that of the audit team, which may consult with
Enforcement before settling on the determination; the Registered Entity is well
advised to not try to argue or persuade the audit team to downgrade a Possible
Violation. And, the Registered Entity
should take an Area of Concern seriously.
While an Area of Concern is not processed through Enforcement, it is
recorded in the audit report and does become part of the Registered Entity’s
compliance history. If the audit team
finds a substantively similar issue at the next audit, a Possible Violation
will likely be found if there is any issue of non-compliance during the new
audit period.
“A determination of a Recommendation is
exactly that, a recommendation for consideration by the Registered Entity. Unlike an Area of Concern, where the audit
team expects the Registered Entity to take some action to improve performance,
a Recommendation is a suggestion for improvement. The audit team may make a suggestion for
improving the efficiency of a process, or for the implementation of a best
practice that will increase the Registered Entity’s overall cybersecurity
posture. There are no down-road
compliance implications if the Registered Entity evaluates the Recommendation
and chooses to not implement it. Issuing
Recommendations is the audit team’s way of encouraging Registered Entities to
focus on protecting their Cyber Assets and not just on compliance.
“With the onset of CIP Version 5, there is
another use for both the Area of Concern and the Recommendation. As you have pointed out on numerous
occasions, there are some issues of ambiguity with the V5 Standards as
written. A number of these issues have
been identified by NERC and the Regions, such as through the V5TAG Transfer
Document and submitted Requests for Interpretation. While NERC and the Regions may have a
consensus on the expectations of an ambiguous Requirement, the audit team will
likely find an Area of Concern in lieu of a Possible Violation if the Registered
Entity’s actions differ from the expectations of the audit team. This discretion will depend, in part, on how
well the audit team believes the Registered Entity put forth a good faith
effort and can justify its position.
Like most other Areas of Concern, the Registered Entity is put on notice
that it may be non-compliant once the Requirement has been clarified. The Registered Entity is well advised to
closely monitor the movement to resolution and to take all appropriate action
to achieve compliance as necessary by the time the issue is fully
resolved. Additionally, there are gaps
in the Standards. When an audit team
finds the Registered Entity is not in Possible Violation of the Requirement as
written, but there is a gap that poses a risk to the reliability of the Bulk
Electric System, the audit team is expected to find a Recommendation and to
document the specifics of the gap in the audit report. As the audit reports are reviewed by NERC and
FERC, these identified gaps will hopefully be scheduled for future standards
development action.”
(back to Tom)
Besides providing some good information on
audits, this auditor is also making a couple good points:
- In the post
referenced at the top of this one, I referred to the auditors issuing
Areas of Concern to point out a way for the entity to improve its
cybersecurity. I should have really called these findings Recommendations.
- Note that the
auditor says “There are no down-road compliance implications if the
Registered Entity evaluates the Recommendation and chooses not to
implement it.” This reinforces what I said in the previous post: that I
think Steve Parker’s fears that entities will be expected to comply with
Recommendations are exaggerated. But there’s no way I (or even the
auditor) can say with 100% certainty that this will never happen.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment