NERC CIP Technical Feasibility Exceptions Consulting Services

As an electric utility or other power market participant subject to the 41 requirements of NERC CIP Reliability Standards CIP-002 through CIP-009, you realize that, for some of your cyber assets within your electronic security perimeter(s), strict compliance with all of the NERC CIP requirements may not be possible.  For instance, how do you load anti-virus software on a network device that will not let you load anything but the vendor’s firmware, which lacks malware protection functionality?  Or how do you require and enforce a password policy that is to consist of a combination of alpha, numeric, and “special” characters when the manufacturer requires that device passwords be comprised solely of upper-case letters?

When FERC approved the NERC CIP Reliability Standards, FERC directed NERC to establish a procedure for the submission, review, audit, and approval of Technical Feasibility Exceptions (TFEs). A Technical Feasibility Exception (TFE) is available where the text of the CIP standard requirement expressly provides either (i) that compliance with the terms of the requirement is required where technically feasible, or (ii) that technical limitations may preclude compliance.

Under NERC’s proposed rules, your organization may request approval for a TFE and have that request evaluated in the context or environment of your organization.   A TFE may be applied to a NERC CIP requirement when satisfying the requirement is: a) not technically possible, b) operationally infeasible, c) poses safety risks that outweigh the reliability benefits, d) conflicts with another regulatory requirement, or e) incurs costs that far exceed the reliability benefits.

It is important to emphasize that, under the TFE procedure, you cannot simply claim an exception to a requirement; you must identify compensating or mitigating measures as an alternative to achieving strict compliance with the requirement in question.  You must also document a time line both for implementing compensating or mitigating measures, as well as for ultimately achieving strict compliance with the requirement (if this will ever be possible; if not, the timeline for the compensating measures is indefinite). Once a TFE is approved, you will need to implement the compensating measure and periodically update NERC on your progress towards strict compliance. 

There are many more nuances to the process just described. Encari can help your organization navigate the complex TFE request process, ranging from supporting the initial preparation of the TFE request, through implementation and documentation of the compensating measures, and ultimately through your final transition to strict compliance.  Here are some of the services Encari provides:

• TFE Needs Identification:  Encari can work with you to identify the situations where a TFE would be appropriate, helping you demonstrate a robust compliance program that NERC and FERC ultimately expect from Responsible Entities. 
• Compensating or Mitigating Measures Definition:  Encari’s broad experience in cyber security technologies and the NERC CIP reliability standards requirements is applied to help you define appropriate, practical, executable and sufficient compensating or mitigating measures.
• TFE Request Development:  Encari applies its expertise in the procedural intricacies involved in formulating a TFE request and assists Responsible Entities in persuasively articulating their unique circumstances.
• TFE Request Enhancement:  Should your TFE request be disapproved, Encari will help you identify and implement the steps required to execute a successful resubmission or appeal.
• Compensating or Mitigating Measures Implementation and Reporting:  Upon approval of the TFE request, Encari helps you adhere to established plans governing the implementation of compensating or mitigating measures.

To summarize, in many situations it is not technically feasible to strictly comply with CIP requirements.  In these situations, a NERC Responsible Entity faces the choice of either self-reporting non-compliance (and developing a mitigation plan to come into compliance) or preparing TFE requests under the NERC procedures – and by doing so remaining in compliance.