NERC CIP: The six NERC Regional Entities (REs)

Overview:

The North American Electric Reliability Corporation (NERC) includes six Regional Entities (REs), which were formerly called Regional Reliability Organizations. While the REs have other responsibilities as well, they play a vital role in education on, and enforcement of, the NERC Reliability Standards. At least two of the REs develop, promulgate and enforce their own regional reliability standards.

• The six REs are:
• Northeast Power Coordinating Council
• Reliability First
• SERC
• Midwest Reliability Organization
• Texas RE
• WECC

The most visible function of the REs is enforcing compliance with the NERC Reliability Standards, including the NERC CIP cybersecurity standards, among the NERC entities that own grid assets (substations, fossil and renewable generating facilities and Control Centers) in their Region. These include electric utilities, Independent Power Producers and other organizations that are members of NERC. NERC entities that own assets in multiple Regions are audited by each RE, although in some cases the audits are combined to avoid duplication of effort. NERC has its own auditors, who audit the Regional Entities and sometimes participate with the Regions in audits of their members.

Besides auditing, the REs utilize other means to enforce compliance, including spot checks, investigations, self-reports, and compliance self-certifications.  The REs also help their members understand the NERC requirements they must comply with. However, as part of the “NERC ERO”, the REs are not allowed to make direct interpretations of requirements or to advise their members on how to comply with any requirement.

When it comes to the NERC CIP standards, the REs face some real challenges, because the CIP standards are quite different from the other NERC standards - which are known as the “Operations and Planning” (“O&P”) standards. The O&P standards are ultimately based on the laws of physics, so there is usually a single correct interpretation of the wording of any requirement.

However, some of the concepts on which the CIP requirements are based, including words like “impact”, “programmable”, and “routable”, don’t have generally accepted definitions, nor are they defined in the NERC Glossary. This makes it difficult for NERC entities to comply with some CIP requirements, unless their RE can advise them on what they interpret these and other terms to mean. This puts the auditors in a tough position; moreover, it leads in some cases to different Regional Entities auditing one requirement in different ways.

Why you should Attend:

If you are involved with NERC CIP compliance at a NERC Entity (electric utility or IPP), it’s important to understand the delicate balancing act that the regional CIP auditors must carry out. On the one hand, the NERC entities in their Region are questioning them about the unresolved ambiguities in some of the CIP requirements and definitions; but, on the other hand, the NERC lawyers enforce a strict prohibition on providing in writing anything that looks like an interpretation of a NERC requirement, due to concern that by doing that, they would violate “auditor independence”.

In practice, it’s usually possible to receive compliance advice from one of your Regional CIP auditors, at least in cases where there is genuine ambiguity in the requirement. If your RE has a “compliance outreach” team, they should be your first point of contact regarding any compliance question. However, even if there is no such team in your Region, you shouldn’t hesitate to reach out to the auditors in your Region with such questions, if you don’t ask a question like, “How do I comply with CIP-007 Requirement R2 Part 2.2? or “How do you define the term ‘programmable’ in the NERC Glossary definition of Cyber Asset?”

Areas Covered in the Session:

• Responsibilities of the Regional Entities
• How the six current Regional Entities differ from each other, especially in their compliance education programs
• Can a NERC Entity participate in compliance education meetings of Regional Entities that are not their “Home Region”? Yes!
• The Regional auditing process
• Other compliance processes, including spot checks, investigations, self-reports, and compliance self-certifications 
• Asking CIP compliance questions of your Regional Entity, including the auditors

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.