In part 1 of this blog series we discussed compliance firefighting. We mentioned that a proactive approach can reduce the amount of fires and save costs in the long run. In this part we’ll dive into the details and show how you can produce better security as an output from your compliance efforts.
With the increasing amount and complexity of cyber-attacks during the pandemic, companies need to go beyond the minimum regulatory requirements. In our recent webinar with Archer Energy Solutions, their Managing Partner, Steven Parker demonstrated that to obtain compliance with NERC CIP you only need a score of 415 out of 1000 on the C2M2 assessment. Evidently, companies are leaving many areas vulnerable when they decide to be minimally compliant. Doing just enough to past your audit won’t prevent compliance firefighting in the future.
Building Up from a NERC CIP Foundation
In June the Federal Energy Regulatory Commission (FERC), a federal agency that regulates the energy sector released a staff white paper, “Cybersecurity Incentives Policy White Paper”, to support initiatives going beyond compliance. As mentioned by Steven Parker in our joint webinar, “there is this concept of ‘the [NERC CIP] standards are a foundation; they are a base…but we need to do more…”. Although not an official FERC action it’s a big step towards encouraging organizations to take proactive measures.
This FERC white paper focused on best practices that are beyond the NERC CIP requirements. One of the best practices includes the use of NIST CSF as a framework to assess and improve their cyber risk management. Another best practice is using assets that are out of scope of CIP standards. Early implementation of future CIP standards is another way organizations can go beyond compliance. In return for carrying out these best practices, financial incentives may be provided in the future. These incentives aim to reduce the financial risks associated with a project or deferring and amortizing certain costs.
The FERC white paper was also a topic of interest in a recent senate hearing held to discuss improvements to cybersecurity in the energy sector and to further secure our power grid during this pandemic. With the interconnectedness of the energy sector and the importance of the power grid, it’s not enough for just one company to improve their cybersecurity. Joseph McClelland the Director of the Office of Energy Infrastructure Security (part of FERC) stated that “widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens.”
Security as the Outcome, Compliance as a Byproduct
FERC is approaching cyber risk with a two-pronged method. The first prong is to uphold and enforce the mandatory NERC CIP standards. The other is to encourage organizations to go beyond compliance and implement best practices. Joseph McClelland believes that “While NERC reliability standards are the foundation of the commission’s work to address cybersecurity, there are additional measures that can and should be taken to further improve industry cybersecurity posture in light of the rapidly evolving threats”.
Many of our webinar attendees agreed with the FERC white paper – it’s time to carry out best practices. They wanted to be more proactive than reactive when it came to their cyber efforts. During a poll, nearly 67% of responders said that proactive control implementation is one of their compliance activities this year. Archer’s Managing Partner, Steve Parker and Axio’s Co-Founder David White both echoed this view:
“If you have to do something for compliance, you might as well go a little further and get to a better state of security and have your compliance result from your security efforts” – Steven Parker
“Produce security as an output and compliance as a byproduct” – David White
Using Axio360 as Your Ladder to Success
Archer Energy Solutions is a leader in cybersecurity consulting in the energy sector. Our partnership with Archer, along with our platform, Axio360 gives clients the necessary resources to take their cyber risk management to the next level. Our platform includes a number of frameworks including C2M2, NIST CSF and CMMC. To help clients improve their program while also ensuring compliance, we’ve included mappings to many standards. Within the NIST CSF there are mappings to NERC CIP, NIST 800-53 and more. Each question includes help text that shows which standards it’s in line with. This way clients can ensure that they’re meeting compliance standards while securing their organization.
Axio360 will allow you to continuously build a secure cyber risk management system while being compliant with mandatory standards. You’ll be able to follow these FERC best practices and improve your cyber risk management. We’re here to help you increase your cyber resilience efficiently and effectively.
For more information about how Axio360 can help, download our ebook to learn more.