Ideas to Ease the Burden of Compliance

By Troy Dahlgren, NERC Reliability Specialist

With the ever more technical nature of NERC Standards and the required technical knowledge to ensure compliance is maintained, entities are finding that the burden of compliance is increasing. This could lead to increased chances for potential non-compliance with NERC Standards. Here are a couple of ways to reduce the compliance burden while producing quality evidence. 

Battery monitoring systems 

Battery monitoring systems satisfy the component attribute requirements in PRC-005-6 Table 1-4(f) and are a cost-effective way to lessen the amount of man hours used for inspections and testing. The battery monitoring system can reside in the IT network and can use hardwired points into the DCS for alarming functions as well, thus removing any need to add it to the BES Cyber Systems and Cyber Assets lists.  

For Facilities that are not manned 24/7, the system can be configured to generate an email or text message alarm for system issues requiring maintenance. Also, an alarm can be generated for when the server loses communications with the monitoring system. This alarm would signal the start of corrective actions to restore communications. It would also start the clock on the minimum maintenance intervals if communications weren’t able to be restored within that timeframe.  

Transient Cyber Assets (TCA) and Removable Media scanning  

Scanning TCA and Removable Media to prevent the introduction of malicious code into BES Cyber Systems is another major area of concern. It appears many entities are using a paper form and scanning via the business network. A lot can happen in this process to lead to gaps in compliance. There are two simple solutions that reduce the opportunity for missed steps.  

One is a hardware-based solution that can scan many types of removeable media and the other is a cloud-based solution that will scan the security posture of non-managed or third-party TCAs. The hardware solution is a stand-alone kiosk that can be connected to the business network via a V-LAN so that system segregation is maintained. It allows for on-site scanning of Removable Media and can be configured with questions that need answered. These responses provide a record of who and what, accessed the BES Cyber System or assets, and why that access was needed. The system generates a report that is clear and concise as well as auditable.  

The cloud-based solution allows the non-managed TCA to be scanned by logging onto a portal that will scan the security posture of the machine. The scan looks at the current version of Windows, anti-virus and anti-malware software, patch history, know vulnerabilities, and when the device was last scanned. A real-time report is generated and can be uploaded to a secure place for evidence tracking as well. 

The solutions discussed above can lessen the burden of compliance for some Standards that are difficult to maintain compliance with. These solutions also produce evidence that makes it easy to demonstrate compliance.