Bloggers: Ken Agress, Kim May, Doug Simmons, and Bob Smock
Compliance concerns aren’t anything new in today’s market. For the electric utility industry, what has been emerging is a set of standards issued by the North American Electric Reliability Corporation (NERC). These standards cover Critical Infrastructure Protection (CIP) and define requirements for both physical and cyber-assets that electric utility companies must address. The Federal Energy Regulatory Commission (FERC) has made these standards mandatory beginning this month (July, 2009), and has the power to levy significant fines to enforce compliance. Like many legal or regulatory issues, the NERC requirements have many electric utility companies concerned about their ability to adopt and implement the standards required in a timely fashion.
It’s at times like these that a systematic and comprehensive approach to protection and other technology areas really pays off. By following a formal architecture process or methodology, electric utility companies can evaluate the impact of new regulations or requirements on a number of fronts:
- Where does the enterprise already comply with the standards?
- How does the current architecture fail to comply?
- Do planned projects or activities already in a technology roadmap provide or improve compliance?
- What architectural changes must the enterprise make to comply?
These are all key questions, particularly when confronted with relatively wide-ranging standards like the NERC standards. But these challenges aren’t unique to NERC. They exist for PCI or modifications to legal requirements like Sarbanes-Oxley.
Enterprises that adopt a structured, formal approach to setting technology standards, like the Burton Group Reference Architecture, are much better positioned to assess the impact of new standards, identify gaps that must be addressed, and implementing remedies in a timely fashion. Further, this approach identifies requirements and relationships between different areas of the technology environment that help define all of the impacted technology areas, which is important since protection and security requirements can easily impact network, identity, and application standards.
Burton Group is in the process of preparing a report that covers just these issues – demonstrating how our Reference Architecture maps to the NERC requirements and how the architecture process can assist electric utilities in assessing the overall impact and making the changes necessary to meet the compliance requirements. Indeed, our review of the NERC requirements shows that our Reference Architecture maps to NERC requirements on a nearly one-for-one basis.
Which goes to emphasize one point – it’s not that the technologies themselves are hard to implement or impossible to integrate. It’s that our thinking within IT needs to focus on more than the “here and now” and day-to-day operations. Structure and strong standards are what arm us to meet both immediate and future needs and adapt rapidly when new business requirements are introduced.