Every regulation has its unique set of requirements, outcomes, regulators, consequences, and culture. Identifying risks in CIP programs is no different. The unique set of variables stated above even applies to the different regions of Critical Infrastructure Protection (CIP) including NERC, WECC, Mandatory Reliability Standards (MRS), and Alberta Reliability Standards (ARS).
Every Responsible Entity (RE) or Market Participant (MP) is faced with a variety of risks. Risk can vary from regulatory, requirement, personnel, culture, or financial to name a few. The following questions, while not direct CIP requirements, significantly impact compliance.
It is difficult to deny that culture impacts CIP programs in an organization. As the saying goes. “Culture eats business for breakfast”. Is there one program that combines the CIP program with the operations? Are the compliance and operations separate to “reduce” compliance risks? Does leadership support the compliance program or the operations? Do the program resources have different leaders to report to? Are the leaders in sync?
One method to identify risks in CIP programs is to leverage your Enterprise Risk Management Framework (RMF). Of all the CIP programs I’ve been involved with, none have integrated with the enterprise risk management framework. Why is this? Possibly because of:
There could be many causes as to why CIP programs are not embracing their RMF. In reference to containing the CIP program, this is actually recommended by the industry, to reduce the CIP footprint. Although not officially claimed anywhere but reducing the CIP footprint is to control compliance risk. If the objective is to be compliant, then this statement is very valid. If the objective is to be secure, maybe a different requirement should be considered.
The CIP programs operating in silos may create the perception that risks are reduced and managed. It is essential to recognize that risks are always present. In fact, such siloed approaches can introduce new risks that may expose different compliance risks.
Identifying and addressing these risks within CIP compliance programs is crucial for comprehensive risk management.
Contained CIP programs are great for a point-in-time. I have witnessed many events where creativity is necessary because a round peg must be jammed into a square hole. One way to change the siloed environment is to focus is on regulatory requirements. However, this does change the resource requirements and potentially your program through the application of People, Process, and Technology (PPT). If PPT is off, it is a Key Risk Indicator (KRI) to your CIP program. Are your KRIs appropriately
configured for your regulatory requirements if that is the case?
There are no requirements to implement KRIs into your CIP requirements. KRIs are usually bypassed to achieve minimum compliance but KRIs will help identify risks in your CIP program. Although KRIs can be developed in a silo, they are usually are derived from an RMF. Entities can create an isolated RMF that is specifically tailors for the CIP program but the benefits of this approach should be assessed appropriately. The primary message is to integrate your CIP program with your enterprise risk management framework. Entities must gauge if it needs to be formalized into the CIP program or informally integrated outside of the program. The RMF integration can be a great candidate for your Compliance Monitoring and Enforcement Program (CMEP) if applicable.
By integrating with an RMF, entities can assess CIP risks with a rationalized outcome. Many variables and rabbit holes can result from RMF integration but this then becomes management’s responsibility.
Risks are inevitable and each organization chooses their level of proactiveness or reactiveness with their compliance programs. Identifying risks in CIP programs can be performed in a silo, informally with the risk teams, or fully integrated with the RMF. Whatever the decision, the right choice would be to tailor to the requirements of your program(s) and organization.
The benefits of EMF integration with your CIP program may include, but not limited to: 😊
This is a direct candidate for IT/OT convergence. CIP teams can be very isolated from the rest of the organization. Converging IT and OT environments holds its benefits both program and organizationally-wise. We invite you to read our blog, “Adopting IT/OT Convergence” to learn more.
