What do high-voltage power lines and IT service management software have in common? As of April 1, 2016, their futures both hinge on the compliance with these seven letters: NERC CIP. Let's drain the alphabet soup and find out why.
What is NERC CIP?
The first half of this acronym stands for the North American Electric Reliability corporation, a nonprofit, federally recognized Electric Reliability Organization charged with overseeing the bulk transmission of electricity all across the country. This includes all modern IT-enabled equipment that makes this possible.
Blackouts aren't the only threat to the power grid these days - in early 2015, the U.S. energy infrastructure was attacked once every four days on average, according to USA Today. As the rate of technological advancement increases and these innovations are incorporated into existing energy infrastructure, organizations like NERC and agencies like the Federal Energy Regulatory Commission must stay one step ahead of cyberattacks by ensuring companies connected to the national grid do not compromise the entire network through their IT shortcomings.
That's where CIP comes into play. With the title of an Electric Reliability Organization (or ERO), NERC has the power to impose a Critical Infrastructure Protection plan, a list of standards aimed at protecting the critical assets on which the national grid relies, along with other kinds of technology directly connected to these assets. Topics range from how to properly report cyberattacks to physical security measures to developing processes to lock down digital security. The latest update, NERC CIP Version 5, expands on compliance standards NERC set in motion in 2008 and adds two new compliance orders to the previous nine.
What Does This All Mean for Private Enterprise?
Any company using, owning or operating bulk power system technology, like energy generators or transmission organizations, must register with NERC and be in full compliance with all CIPs, as well as third-party providers managing complementary technology. That said, enterprise IT has quite a weight to carry - NERC CIPs specifically target and scrutinize aspects like a system's ability to identify connectivity between cyber and relevant physical assets and maintain minimal security management requirements. These actions fall under the IT department's jurisdiction, and its ability or inability to perform these tasks can ultimately decide the greater organization's fate.
Additionally, one of the two new CIPs directly impacts configuration change management and CMDB monitoring. According to the NERC, IT personnel must be able to perform "vulnerability assessment requirements" to determine how altered configuration could potentially lead to the failure of critical energy assets, as well as the scope of such an event. To that end, how adeptly an ITSM suite handles the breadth of service portfolio management truly matters, ITIL or otherwise. A greater depth of analysis and review of changes made to configuration over a given time provides valuable insight to both users and the NERC as the organization fights to protect the grid from intentional or unintentional IT-related system failure.
NERC CIP compliance isn't only about keeping the bad guys out of enterprise IT. Instead, this oversight aims to regulate change management in a way that shines a light on unnecessary security risks while still allowing companies to retain control over their customer-facing and internal applications with timeliness and efficiency. With that in mind, the evolution of IT change management as a service truly needs NERC CIP to develop effectively.
In the coming month, we'll talk more about how change management plays an active and expanding role in NERC CIP compliance, especially in Version 5. We will also discuss how businesses striving to reach compliance can do so with enhanced change management features from more comprehensive ITSM software.