State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
CIP Compliance: Reducing Your Risk
How utilities can navigate critical infrastructure protection requirements.
effective, cost-efficient levels. Service delivery also plans and accommodates for disaster recovery and prevention.
Achieving CIP Compliance
By implementing the ITIL framework, utilities fulfill the CIP 002-009 cyber-security requirements. However, the problem for the utilities still remains: How do we get from where we are today to where we want to be tomorrow (i.e., fully and auditably compliant)? To move “from here to there” a utility must implement three key components: a structured approach, a security assurance framework, and a road map to compliance.
The structured approach will help organize the CIP compliance initiatives into a project that implements project-management principles and uses assessment and planning methodologies. The best way to incorporate these aspects is to include standardized phases, tasks, and deliverables to manage and maintain the structure.
Once the structure is in place, the security assurance framework evaluates the organization’s compliance to the NERC CIP standards. The framework’s processes, procedures, and practices define how ITIL will carry out the day-to-day business operations. Technology and tools facilitate the automated execution of processes, procedures, and practices.
Finally, by developing a road map to compliance, organizations can track project initiatives, estimated timelines, resources, and costs to achieve the end state of full compliance. The road map should provide logical steps to implementing CIP compliance through ITIL. The steps should be sequenced to accomplish the most critical and important tasks and then align them with the CIP implementation schedules.
Over the next few years, achieving and maintaining CIP compliance will be challenging for utilities. However, they can leverage industry best practices, such as ITIL service management, as the framework for compliance. Best of all, their IT departments already may be using these best practices and tools. By planning ahead, implementing a structured approach such as ITIL, and establishing a collaborative effort between the IT and operations organizations, utilities will succeed in achieving compliance, and in the process will establish a long-lasting approach to managing their critical assets.