Imagine your customers flicking the switch on in their homes, expecting the lights to turn on. When they don’t, they check the circuit breaker, but even that doesn’t work. Using their cell phone, they call you, the energy provider, and a person at the Helpdesk assures the customer that your facility is working on the problem, but your customer still sits in the dark… for a full day.
Such was the situation that eclipsed the Northeastern U.S. in 2003, leaving 50 million energy customers nationwide without power and, for some, without running water for up to two days. In response to this massive blackout 12 years ago, the Federal Energy Regulatory Commission (FERC) has since more closely monitored energy projects and several facets of energy sales to prevent similar situations that could disrupt the flow of energy to consumers.
Even with FERC taking a more proactive approach by implementing new standards and policies to prevent situations that could disrupt the flow of energy to the grid, there is still the possibility that there will be threats. Just a couple years ago, intruders breached the Metcalf substation in California. After cutting the fencing, the intruders stole construction equipment being used for security upgrades; however, despite the severity of the attack, Metcalf did not report the intrusion until five hours later. Only a year before, gunmen attacked the facility and in a move that nearly caused Silicon Valley, the U.S. technology hub, to lose power they shot out 17 transformers. In that earlier attack, the facility was out of service for a month. And both of these recent events demonstrated that energy facilities could still do more to protect the grid.
CIP Version 5: What is it, and Why Does it Matter?
However, the assaults on Metcalf are just two examples of the many possible threats to the nation’s bulk power system. In response to protecting against these many possible threats to the grid, in November 2013 FERC approved the North American Electric Reliability Corporation (NERC) CIP Version 5, which further helps decrease the likelihood of cyber-security risks to the bulk power system by strengthening the standards for critical infrastructure protection (CIP).
These new standards demand every energy facility to be more proactive about potential threats than ever before, and even facilities that were not included under previous versions of CIP must adhere to portions of the new standards. For this reason, as we look to improve security around the Bulk Electric System (BES) as a means to continue to improve the overall reliability, now is the time to become thoroughly familiar with CIP Version 5 and what it demands of all energy companies.
New Security Measures.
As far as policy changes go, CIP Version 5 requires several new measures to increase security. For example, new requirements and standards have been set regarding the identification of software and cyber assets that interconnect, and, if tampered with, could compromise and lead to the misoperation or instability of the BES.. Likewise, to increase physical security, the new version of CIP demands that energy facilities enforce certain procedures that were not strictly required before, which could dramatically change procedures for a number of facilities.
New Affected Facilities.
However, under previous versions of CIP, several generation facilities or employees were exempt from complying with the standards. Only those facilities that identified themselves as critically affecting the BES were required to adhere to the previous version, CIP Version 3. With CIP Version 5, though, all energy companies have been filtered into a tiered classification system, meaning all facilities that generate power for the grid are now required to follow and enforce at least some of these NERC CIP standards.
As Steven Parker notes in his Introduction to NERC CIP Version 5, “there is a dramatic expansion of systems that are in scope” for the new standards that were unaffected by earlier versions. With the new CIP version being implemented, many facilities and employees who had no exposure to any of these standards will require just-in-time training to make sure that they understand these new security standards and that they are in compliance.
Importance of Training Under CIP Version 5
Aside from the fact that many people who were unaffected under CIP Version 3 are now affected by CIP Version 5, the North American Electric Reliability Corporation (NERC) actually mandates training on the new standards. Under CIP Version 5, all energy facilities must have a record of training their employees on cyber security policies, recovery plans for BES Cyber Systems, proper responses to Cyber Security Incidents, and other procedures that help eliminate physical and cyber risks to the BES.
Not only do these training requirements ensure adequate knowledge transfer of the new CIP Version 5 standards, but they also ensure that your facility will pass any future audits. After all, when your facility is audited on how it is following and enforcing the new CIP v5 standards, they will examine the training you provide your employees to make sure that it is comprehensive and that all your employees have been trained. In addition, by training your personnel on CIP Version 5, you will empower them to identify, assess and correct deficiencies in how the new CIP Version 5 requirements are implemented, ultimately protecting your facility from non-compliance.
Adequately training your employees to truly understand CIP Version 5 compliance will also encourage them to be more proactive on the job. They will be able to more quickly mitigate any threat by correcting deficiencies in how the standards are implemented rather than just worrying about whether their facility is practicing the new CIP requirements in the best way possible.
CIP Version 5 & Blended Learning
Because CIP Version 5 is so diverse in its structure and application, your energy facility needs training that is flexible in its approach. To have flexible training that will adapt with you as you ensure that all your departments are compliant with the CIP Version 5 standards, consider a Blended Learning strategy. As the Thomson Job Impact Study found, Blended Learning with an eLearning component allowed employees to perform tasks with 159% more accuracy and 41% faster than without training.
In addition, with Blended Learning, your training caters to various audiences and training environments, allowing for all users to learn the material in a variety of ways. By implementing instructor-led training, for example, your employees will have an expert, a point of contact who will be training them and can answer any questions directly.
However, as part of your Blended Learning approach, the interactivity that eLearning offers supplements that training led by an instructor. An eLearning module allows a user to have a “hands-on” approach with in-the-moment activities and exercises. And they are able to review the content as they feel necessary, which encourages a higher-level, more active form of learning. Ultimately, eLearning sets and encourages the user to develop a baseline knowledge, allowing subject-matter expert instructors to then dive into the “nitty-gritty” content without having to account for students who have no knowledge on the subject.
Better yet, when combined with an Learning Management System (LMS), a user’s success is tracked and recorded. If your personnel are only at 75% completion, you can see that percent completion immediately and verify who has and hasn’t completed the content successfully. Not only does having an employee complete an eLearning module serve as a digital record that you have trained your employees per the CIP Version 5 requirements, but with the LMS, you can assign the same content to them every 15 months. So, when FERC comes to audit your facility, you can prove that your CIP Version 5 training and training schedule are in compliance.
Ultimately, you want to make sure that your employees are well-trained so that they can prevent and respond to any potential threats to the Bulk Electric System. After all, as an energy facility, you want to deliver consistent, reliable energy to consumers; you want to make sure that your facility is doing all it can to prevent physical and cyber-security threats. You want to make sure that what happened at the Metcalf substation has no chance of happening at your facility.