Page 92 - Cyber Defense eMagazine December 2022 Edition
P. 92
The role of the compliance analyst
You meet your compliance needs with the help of compliance analysts. They are typically company
employees, preferably people who are very comfortable with extracting and manipulating data from
various sources. You also want them to be good at coding. And if someone has to know the NERC
requirements is them. They may go to the plant for a few days now and then, but the bulk of their work is
back at the office or perhaps at home. They aim to avoid NERC fines by generating evidence that the
power plants comply with CIP standards. And you will also use the compliance data to develop your Key
Process Indicators (KPIs) for upper management, and you will also use it to inform your engineering
team's decisions when they do maintenance.
If your program is new and you are hiring an inexperienced (but technically sound) analyst, then the best
strategy is to let them work at a single site first. Let them get acquainted with the compliance requirements
and the tools available at the plant until they figure out a way to automate the extraction of this data and
can do multiple sites simultaneously. Many times power companies have merged the roles of compliance
analysts and engineers, but the results have not been great because often, the analyst and the engineers
have conflicting interests. Conversely, a well-trained compliance analyst could easily oversee five or more
plants as his methods improve. They can also train new hires, reducing the learning curve once the
program is underway.
Engineers provide routine maintenance
Cybersecurity engineers are typically a rotating workforce traveling to different sites for maintenance.
The right engineer will know computer systems very well and be confident troubleshooting for hours until
they find a solution. Recruiting IT professionals have not yielded as good results as hiring former control
engineers. Smaller companies that don't see it economically viable to employ full-time engineers can
outsource these roles to vendors. They install software patches, update antivirus definitions and various
software packages, and troubleshoot common issues. A trained engineer can typically complete their
tasks in about one week per site. Patching every plant once a month is too costly and resource-intensive
for most companies, so most power plants tend to complete these tasks at a slower frequency, for
example, once every three months. Under extraordinary circumstances, NERC allows for exceptions. But
in general, it is not ideal to rely on exceptions as the risk of non-compliance is higher.
The goal of the engineers is to provide a working system for compliance analysts to extract their data
from and to provide company employees with the tools to protect their systems. When a change is
needed, the engineers are the people that know the software intimately to make the changes. However,
engineers are not the end users of most tools they help maintain.
Who are the end-users?
Letting local employees at a power plant run the day-to-day cybersecurity operations can be a
controversial decision. It is the norm in the IT world to have a dedicated (read "trusted") team to handle
computer security concerns and relieve employees from any responsibilities regarding configuring their
Cyber Defense eMagazine – December 2022 Edition 92
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
