Survey on Industry approach towards NERC CIP version 5 Standards

The enforcement timelines for NERC CIP Version 5 have already been declared and all registered entities with Medium and High Impact BES Cyber Assets need to comply with the new CIP Version by April 1, 2016; and the ones with Low Impact BES Cyber Assets need to comply by April 1, 2017.

MetricStream, in association with Corporate Risk Solutions, Inc., is trying to better understand from the industry professionals their reaction towards the new Standards and understand how their respective organizations are preparing to comply with these new CIP version 5 Standards from NERC.

We appreciate you taking the time to participate in this survey and contributing your thoughts on this important industry regulation. Please leave your official email ID for the complete report on the survey.

Question Title

* 1. Please provide your email address (official email IDs only) below if you wish to receive the final report of the survey results, as well as be entered into a contest where 3 lucky respondents will receive either an Amazon or Starbucks gift worth $50 USD.

Please provide your email address (optional):

Question Title

* 2. Please select the applicability of NERC CIP Version 5 to your organization from the following functional entity types.
(Check all that apply)

Balancing Authority

Distribution Provider

Generator Operator

Generator Owner

Interchange Coordinator or Interchange Authority

Reliability Coordinator

Transmission Operator

Transmission Owner

Other (please specify)

Question Title

* 3. How much do you understand NERC CIP version 5 requirements?

Completely (>95% of understanding)

Fair enough (80 – 95% of understanding)

Little confused with few standards (60 – 80% of understanding)

Working towards it ( 50 – 60 % understanding)

Yet to explore (<50% of understanding)

Question Title

* 4. How familiar are you in identifying the assets that were not subject to compliance under CIP Version 3 but might have to comply with CIP Version 5 of the Reliability Standards?

	Least	Less familiar	Neutral	Decently Familiar	Highly familiar
Familiarity	Familiarity Least	Familiarity Less familiar	Familiarity Neutral	Familiarity Decently Familiar	Familiarity Highly familiar

Question Title

* 5. How familiar are you about the fact that to pass an audit, it may be sometimes just sufficient to demonstrate an action undertaken for an effective compliance regimen as evidence?

	Least Familiar	Less familiar	Neutral	Decently Familiar	Highly familiar
Familiarity	Familiarity Least Familiar	Familiarity Less familiar	Familiarity Neutral	Familiarity Decently Familiar	Familiarity Highly familiar

Question Title

* 6. Under Version 5, the NERC CIP standards have become more stringent than before. In regard to this, how much do you think that these new standards demand more effort and documentation from the responsible entities in trying to satisfy the requirements?

	Least	Less	Neutral	Decent	High
Documentation changes to be made	Documentation changes to be made Least	Documentation changes to be made Less	Documentation changes to be made Neutral	Documentation changes to be made Decent	Documentation changes to be made High
Effort to be spent towards achieving compliance	Effort to be spent towards achieving compliance Least	Effort to be spent towards achieving compliance Less	Effort to be spent towards achieving compliance Neutral	Effort to be spent towards achieving compliance Decent	Effort to be spent towards achieving compliance High

Question Title

* 7. How much do you believe that implementing an automation tool for NERC CIP Version 5 compliance would help the electric utility companies in areas such as the following?

	Least	Less	Neutral	Markable	Most
Seamless Reporting	Seamless Reporting Least	Seamless Reporting Less	Seamless Reporting Neutral	Seamless Reporting Markable	Seamless Reporting Most
Avoiding manual effort	Avoiding manual effort Least	Avoiding manual effort Less	Avoiding manual effort Neutral	Avoiding manual effort Markable	Avoiding manual effort Most
Reducing the duplication of work	Reducing the duplication of work Least	Reducing the duplication of work Less	Reducing the duplication of work Neutral	Reducing the duplication of work Markable	Reducing the duplication of work Most
Removing human errors	Removing human errors Least	Removing human errors Less	Removing human errors Neutral	Removing human errors Markable	Removing human errors Most

Question Title

* 8. How much do you believe that management would be better audit ready to avoid any non-compliance issues if there is a robust system in place which can continuously track, monitor and report real-time status of all its NERC CIP compliance related processes? (Rate on a scale 1-5, with 1 being least relevant and 5 being most relevant)

	1	2	3	4	5
Audit readiness	Audit readiness 1	Audit readiness 2	Audit readiness 3	Audit readiness 4	Audit readiness 5

Question Title

* 9. What is your current approach to NERC CIP Compliance?
(Check all that apply)

Standalone NERC CIP Compliance Management Tool (COTS)

Document Management System

Internally developed tool

Manual / Spreadsheets and Documents

Not Applicable

Other (please specify)

Question Title

* 10. On a range of 1 to 5 (1 being least likely and 5 being most likely), what is the probability that you would agree that an automation tool backed by industry expert consultants would score more than just any other software tool?

	1	2	3	4	5
Agreement	Agreement 1	Agreement 2	Agreement 3	Agreement 4	Agreement 5

Question Title

* 11. What do you think will be your organization’s most difficult task in trying to comply with CIP version 5 standards?
(Check all that apply)

Transitioning from current version to version 5

Understanding the definitions and grouping of existing assets under BES cyber assets

Finding expert consultants who can guide us in the transition

Finding and implementing the right automation tool

Other (please specify)

Question Title

* 12. How are you preparing to comply with NERC CIP version 5?
(Check all that apply)

We already have a NERC compliance solution in place and will continue to use the same to even comply with NERC CIP v5

We are planning to implement an automation tool

We are seeking for consultancy services to help us understand and comply with CIP 5

We are not planning anything for now

Other (please specify)

Question Title

* 13. Among the new CIP Version 5 reliability standards, what do you think will be the most challenging standard for organizations (across all functional entity areas) to comply with? Why?
(Check all that apply)

CIP-002-5.1 Cyber Security - BES Cyber system categorization

CIP-003-5 Cyber Security - Security Management Controls

CIP-004-5.1 Cyber Security - Personnel & Training

CIP-005-5 Cyber Security - Electronic Security Perimeter(s)

CIP-006-5 Cyber Security - Physical Security for BES Cyber Systems

CIP-007-5 Cyber Security - System Security Management

CIP-008-5 Cyber Security - Incident Reporting and Response Planning

CIP-009-5 Cyber Security - Recovery Plans for BES Cyber Systems

Why?

Question Title

* 14. Ideally, how much time do you think it should take for an entity to complete its transition from current version to CIP v5?

Question Title

* 15. Would you be interested in trying out a quick, free and short demo of an automation tool which has been built specifically to address the challenges and help entities transition and comply with NERC CIP Version 5?

Yes. More information would help.

No thanks.

Send me more information here (email only)

Question Title

Question Title

* 2. Please select the applicability of NERC CIP Version 5 to your organization from the following functional entity types.(Check all that apply)

Question Title

* 3. How much do you understand NERC CIP version 5 requirements?

Question Title

* 4. How familiar are you in identifying the assets that were not subject to compliance under CIP Version 3 but might have to comply with CIP Version 5 of the Reliability Standards?

Question Title

* 5. How familiar are you about the fact that to pass an audit, it may be sometimes just sufficient to demonstrate an action undertaken for an effective compliance regimen as evidence?

Question Title

* 6. Under Version 5, the NERC CIP standards have become more stringent than before. In regard to this, how much do you think that these new standards demand more effort and documentation from the responsible entities in trying to satisfy the requirements?

Question Title

* 7. How much do you believe that implementing an automation tool for NERC CIP Version 5 compliance would help the electric utility companies in areas such as the following?

Question Title

Question Title

* 9. What is your current approach to NERC CIP Compliance?(Check all that apply)

Question Title

* 10. On a range of 1 to 5 (1 being least likely and 5 being most likely), what is the probability that you would agree that an automation tool backed by industry expert consultants would score more than just any other software tool?

Question Title

* 11. What do you think will be your organization’s most difficult task in trying to comply with CIP version 5 standards?(Check all that apply)

Question Title

* 12. How are you preparing to comply with NERC CIP version 5?(Check all that apply)

Question Title

* 13. Among the new CIP Version 5 reliability standards, what do you think will be the most challenging standard for organizations (across all functional entity areas) to comply with? Why?(Check all that apply)

Question Title

* 14. Ideally, how much time do you think it should take for an entity to complete its transition from current version to CIP v5?

Question Title

* 15. Would you be interested in trying out a quick, free and short demo of an automation tool which has been built specifically to address the challenges and help entities transition and comply with NERC CIP Version 5?

* 2. Please select the applicability of NERC CIP Version 5 to your organization from the following functional entity types.
(Check all that apply)

* 9. What is your current approach to NERC CIP Compliance?
(Check all that apply)

* 11. What do you think will be your organization’s most difficult task in trying to comply with CIP version 5 standards?
(Check all that apply)

* 12. How are you preparing to comply with NERC CIP version 5?
(Check all that apply)

* 13. Among the new CIP Version 5 reliability standards, what do you think will be the most challenging standard for organizations (across all functional entity areas) to comply with? Why?
(Check all that apply)