Like so many other power plant functions these days, regulatory and standards compliance can be automated. Know what you want an automated system to do before you make a vendor decision.
As North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) enforcement deadlines and audit dates loom—notably, CIP-003-6 in April 2017, which addresses the development and implementation of cyber security policies, procedures, processes and plans—each “responsible entity” faces the daunting task of ensuring compliance and maintaining evidence of that compliance. Transparency is critical: Compliance teams must not only meet deadlines but also ensure that their efforts are auditable. This requires considerable attention to organizing, maintaining, and revising evidence (Figure 1).
Often this task falls in the laps of multiple employees, each of whom has additional responsibilities outside of compliance. Using the traditional hands-on approach, compliance involves spreadsheets, databases, digital documents, binders of paper, and various calendaring techniques. While these “manual” processes have gotten the job done for years, they eat up numerous labor hours and pose a number of other pitfalls. This reality has compliance managers asking, “What if we could automate our processes and have a central repository for reporting and auditing—and would the benefits of an automated tracking system justify the costs?”
Before you jump on the bandwagon, it’s best to gather your team, weigh the options, and cover the due diligence.
What an Automated Compliance Solution Offers
More than a few vendors offer automated solutions, some with more functionalities than others. Typical functions include:
■ Creation of Reliability Standards Audit Worksheets (RSAWs) that are routed among subject matter experts (Figure 2).
2. Standardization. Reliability Standards Audit Worksheets (RSAWs) standardize information collection and make identification of key personnel and process stage easy. Courtesy: Qualtrax
■ Creation of actionable workflows that are routed to appropriate employees and programmed to launch by either a date or an event.
■ Escalation to management of workflows not completed within allotted timeframes.
■ Document management, including revisions and review/approval cycles (Figure 3).
3. Clear visibility. An approval list for access gives management the transparent view it needs into the compliance program. Courtesy: Qualtrax
■ Asset management.
■ Access management.
■ Change control management.
■ Training and testing.
■ Reporting of selected documents and evidence for audits.
■ Custom application programming interface (API) integration into control network tools.
Note that, although the software images shown in this article are from Qualtrax, other vendors offer the same or similar functions. Here are six widely used out-of-the-box solution providers:
Determining Real Costs and Benefits
A compliance tracking system can range from $30,000 to well into six figures, depending on implementation and functionality. Some tools address NERC compliance specifically, while others can be used enterprise-wide. In addition to purchasing the tool itself, you’ll need to factor in costs for training employees, loading your current evidence and documents, and customizing the tool.
As for the benefits, you’ll realize them primarily over the long-term use of the system. A resource determination for maintenance of a standard NERC Reliability Compliance Program showed that a compliance solution could directly save an entity the equivalent of up to 2.5 full-time employees. It could also save indirectly on potential fines you’ll avoid by having an auditable trail for every notification, revision, change, upload, and action within the system.
Thanks to the ease of group and role-based permissions, responsibilities don’t get lost when personnel change due to turnover or organizational restructuring.
An automated solution also gives management the transparent view it needs into the compliance program. It provides due dates, reporting, and escalation methods and eliminates the nightmare of manually tracking your compliance training.
Vendor Due Diligence
With so many tools out there, it’s important to ask the right questions before making your selection.
Ask the vendor to conduct a scenario-based demonstration, and pick three ways you foresee using the system. Then have all vendors address these same three scenarios so you can see how each tool handles the same situations. For example, upload evidence and attach it to the specific standard or requirement; assess training and testing within the system; or escalate an uncompleted workflow.
Then, be sure to ask the following questions:
■ What will an on-premise installation cost, and will you need to buy additional hardware and/or software? Due to NERC’s current CIP regulations, cloud-based storage is questionable. An on-premise installation is recommended until NERC issues more specific directives on cloud storage.
■ How difficult is converting to cloud-based storage once NERC gives a ruling? Most vendors can do this quite easily, but there may be additional costs.
■ How does licensing work? Some vendors offer per-seat licensing, while others offer group licenses. Licensing ranges from unlimited testing and training to a handful of dedicated or named licenses. Make sure you have a clear picture of license requirements for your intended use and number of employees.
■ How much are maintenance fees, and what do they cover? With most vendors, these are fairly standard, but you should ask. For example, does it include upgrades and updates?
■ What training is offered? These options differ with the vendor: You may be offered on- or off-site, per-person fees or group training, and unlimited tech support. Make sure you understand the training options, as you’ll need to have at least one person train as your administrator and help customize the system for your use.
■ Does your system work for both CIP and operations and planning? It should have the capability to handle both. Some systems will come with out-of-the-box workflows for one or both sets of standards that can be customized to your process.
■ How do I get my “audit package” out of the system? Each vendor has a different method for this, so be sure to ask for a demo. It doesn’t help to put everything into the system if you can’t retrieve it in a useful format.
Making Your Decision
During each demo, watch for ease of use from both an administrator’s and a user’s perspective. Is the user interface clunky or too detailed? Is it intuitive or overly complicated? Weigh the components that matter to your organization against your entity’s budget constraints. Ask a lot of questions, and request a second demo if you need it.
Implementing a new system can be intimidating. Entities often prefer to stick with the processes they have in place because they’ve worked okay thus far. But the system that got you to where you are today may not get you to where your organization is headed tomorrow. Contact some vendors, set up a few demos, and see what these tools can do to save you time, money, and resources over the long term. At the very least, you’ll know what’s available should you decide you need an automated system down the road. ■
—Mark Gollini ([email protected]) is director of NERC Services, NAES Corp.