Q&A: Insights from Industry Experts on NERC's 2024 CIP Themes and Lessons Learned

NERC released its CIP Themes and Lessons Learned document in early August 2024. If you haven’t read it, we recommend you do so. You can find it on the NERC website or click here.

In the Q&A below, our experienced advisors, Linda Perez and Jim Stanton weigh in on the document.

Can you give a quick overview of the lessons learned document and what it means to energy organizations?

For many years, the CIP standards have been the most violated and closely monitored because they have the highest potential for an adverse impact on the Bulk Electric System. This Lessons Learned document highlights some gaps organizations still have in their NERC programs. We’re excited to see NERC identifying those gaps so they can be closed to make the BES more secure.

The report lists four areas of focus for a utility: latent vulnerability, insufficient commitment to low-impact programs, shortage of labor and skill sets, and performance drift. Can you talk a little about the four areas and how they relate to each other?

While the NERC document breaks these issues into four separate items, they overlap in practice.

Latent vulnerabilities are gaps that remain after we’ve tried to measure, mitigate, audit, and correct processes. They’re still there and can quickly spiral out of control if not managed properly.

If your organization has insufficient commitment to low-impact programs, it may need to escalate its priority. While NERC requirements may categorize some programs as low impact, they could still be significant for your operations. Making them a priority could help close critical gaps.

Shortages of labor and skill sets are another challenge for the industry. Skilled personnel – proficient not only in power production but also IT – are in high demand and often mobile. It’s critical to recognize their contributions and provide appropriate rewards and growth opportunities to retain them.

Performance drift stems from weaknesses in internal controls or individual performance. Cyber responsibilities should be clearly defined, specific, and assigned to individuals who are held accountable. They must consist of a distinct set of responsibilities tied to measurable performance outcomes, not other duties as assigned. The challenge is more difficult when employees juggle multiple roles, creating competing priorities and diluted focus.

Proactively addressing these issues is vital for the industry. Organizations should carefully review the report, identify where these four areas exist within their operations, and develop strategies to effectively mitigate them.

What is the best strategy for organizations to identify and address potential issues? How can they identify options to tackle any concerns quickly and efficiently? How can a multi-pronged approach address the four areas?

Start with a risk assessment. You can’t move forward unless you have a plan, and you can’t have a plan unless you know where you are. Meet with your team or bring in a third party to conduct the assessment, identify gaps, and develop strategies to address them.

Next, tackle any concerns quickly and efficiently. You might not resolve everything immediately, but you can begin the process.

Training is often an effective first step. Provide training on internal controls, procedures, and processes and explain how their roles align with the NERC CIP compliance standards.

Follow these initial steps with longer-term planning, such as identifying key roles, filling any gaps, and evaluating how unfilled positions impact your organization.

The solution must be collaborative through the organization. HR, management, operations, and IT need work together, ensuring clarity on roles and responsibilities.

Internal controls are mentioned in the report. NERC noted improvements, which is a good sign. You both emphasize the importance of internal controls on an ongoing basis. How do you think strong internal controls impact the four areas of focus? Can you give specific examples of things you’ve helped clients with?

We’ve helped clients in various ways. We usually start by creating a roles and responsibilities matrix. Outline the standards, the requirements, who is responsible, what tasks they need to perform, when they need to complete them, and where the tasks need to be done. Once finalized and approved with everyone’s input, it’s a living document accessible to everyone. Then, establish a process to regularly review the matrix and ensure it’s effective.

We’ve developed and delivered training to help teams create and identify internal controls in their organizations. In some cases, we’ve uncovered undocumented internal controls by interviewing SMEs. By documenting these informal processes, we helped institutionalize them so they’re clear and accessible to everyone.

Additionally, we’ve worked with organizations to identify key players, assess their contributions, and determine the impact of their potential departure. If someone leaves, what gaps would it create? How can those gaps be addressed? Possible solutions include cross-training employees in related roles to serve as a backup or preparing for a lengthy search to replace the unique skills that individual provides.

In today’s market, finding qualified cybersecurity professionals with the electric industry expertise you need is a challenge, especially with multiple industries competing for the same talent. Having a plan to address these scenarios is essential.

What are some specific examples of the different struggles large and small entities face with cybersecurity management?

Organizations of all sizes face similar cybersecurity challenges. Employees, being human, will inevitably make mistakes. Your organization should reinforce cybersecurity practices across all levels, so employees understand how their everyday duties impact cybersecurity. Simple reminders like not sharing passwords, locking computers when stepping away, and avoiding opening doors to strangers can serve as daily reinforcements. The challenge is universal regardless of organization size.

Another common issue is staffing. Attracting and retaining skilled, qualified individuals is a challenge large and small organizations face because the talent pool is limited and everyone is competing for the same resources.

One of the most critical elements is understanding cybersecurity isn’t solely an IT responsibility. It’s an organization-wide effort. It involves staff across multiple functions from those securing physical perimeters at power plants or substations to operators managing SCADA systems during a cyberattack. Everyone has a role to play. By clearly mapping out and communicating these responsibilities many issues can be addressed and mitigated effectively.

What strategies can energy organizations adopt to minimize the impact of cybersecurity staff shortages?

Defining cybersecurity responsibilities and creating a support structure around your IT staff is crucial, especially as these professionals possess highly sought-after skills in demand across industries. To attract and retain this talent, it’s essential to offer competitive compensation. However, it’s not just about salaries – it’s also about providing clear paths for career growth.

Many of these professionals are younger, highly skilled individuals who value job progression. By clearly defining, communicating, and publishing a career development path, you can show them future opportunities within your organization. This approach is a powerful motivator and encourages retention – people moving up within an organization are less likely to move on.

It’s equally important to establish strong internal controls that create touchpoints for identifying potential cyber risks. These controls help distribute the responsibility for cybersecurity across the organization rather than leaving it all in IT’s hands. By spreading accountability and engaging multiple teams, you can ensure a more holistic approach to cybersecurity while preventing IT from becoming overwhelmed.

How important is succession planning and talent development in maintaining cybersecurity resilience? What can organizations do to mitigate the loss of legacy knowledge and quickly prepare more inexperienced people coming in?

Training should be a top priority, including not only formal instruction but also mentorship opportunities with veteran employees. It’s crucial to onboard new hires early and create opportunities for them to spend time with experienced team members who have contributed significantly to your organization. These veteran employees have built programs from the ground up and understand the details. Establish a strategy to partner new employees with seasoned employees to encourage knowledge transfer. This approach not only prepares new employees but helps preserve valuable institutional knowledge as veteran employees retire.

Having a plan to retain and transfer legacy knowledge is essential. Strategies can include conducting thorough exit interviews with experienced employees as they leave, asking them to record their knowledge, work scope, experience, lessons learned, key milestones, and potential challenges.

You can also engage veteran employees as contractors after they retire so you can call them for guidance during specific tasks or when issues they have experience with arise. Their expertise can provide pointers, reminders, and insights into potential obstacles, helping to prevent costly mistakes and maintain operational continuity.

Looking ahead, what do you foresee as the biggest challenges or development in energy cybersecurity and compliance?

Cyber risks are constantly evolving. Every day, individuals and organizations work tirelessly to find ways to breach systems, cause disruptions, and incite outages. With the right measures, you can prevent these attacks and detect when your organization may be under threat.

Staying ahead requires a dynamic approach. Cybersecurity isn’t a procedure you write and forget. It’s an ongoing, dynamic effort to keep pace with ever-changing threats. One of the biggest challenges organizations face is preparing for this constantly shifting landscape.

Developing and reinforcing strong internal controls keeps your organization secure. With robust controls in place, you don’t need to react or even be aware of every potential threat because your processes will kick in automatically. These controls enable your team to quickly identify and mitigate risks, putting your organization in a position to ensure continuous protection.