Basin Electric's first NERC CIP audit completed

Basin Electric’s first-ever compliance audit for Critical Infrastructure Protection (CIP) was conducted by the Midwest Reliability Organization (MRO) in August.

The audit looked at the cyber and physical security initiatives Basin Electric has in place, focusing on five North American Electric Reliability Corporation (NERC) reliability standards and 18 of the 39 NERC CIP requirements.

The audit covered the following areas:

  • Cyber security
  • Physical security
  • System security management
  • Change management
  • Transmission substation physical security

This was Basin Electric’s first CIP audit, because prior to 2016 the co-op had not identified any “critical” CIP assets, says Dave Rudolph, manager of NERC compliance.

Basin Electric’s CIP team was notified about the audit in May. The notification also outlined the timeline of data deliverables leading up to the onsite audit.

Various level one and level two data requests were due to auditors in June and early August for their review before coming onsite to Basin Electric. Leading up to the onsite audit, auditors also conducted interviews with Basin Electric subject matter experts and requested additional data.

The onsite audit included tours of Basin Electric Headquarters, substations, and a backup data center. The onsite portion concluded with auditors presenting their findings.

Results

“Overall, Basin Electric’s CIP team did a great job,” Rudolph says. “For being our first audit and having heard stories from other entities, it went as well as can be expected.”

The audit identified the following results:

  • Two issues of potential non-compliance. Lower risk non-compliance with mitigation strategies are already being developed.
  • One area of concern.

Internal CIP audit team reaches co-op wide

The CIP audit is broad and touched many areas in Basin Electric.

The following areas within Basin Electric participated in the MRO CIP Compliance Audit:

  • NERC compliance (transmission compliance division of Transmission, Engineering, and Construction)
  • Information systems and telecommunications (operational technology, network, and telecom divisions of finance/information systems, and telecommunications)
  • Security and response services-physical security
  • Transmission system maintenance 

Senior Vice President of Operations John Jacobs served as the designated CIP senior manager.

“This was a broad-reaching audit,” Rudolph says. “In the months leading up to it, all of the employees involved spent a significant amount of time outside of normal business hours – weekends and evenings – to prepare.”

Aside from the months of preparation leading up to the audit, Basin Electric’s CIP team has been meeting regularly for the past six years to prepare the program.

Next steps

Basin Electric received the draft audit report on Oct. 3 and the final audit report Oct. 29.

The MRO will begin the process of reviewing the identified issues of potential non-compliance and determine the next steps, either financial penalty (with formal mitigation) or a compliance exception. This process may take up to one year to complete.

Rudolph says the MRO will also inform Basin Electric within the next six months to one year about the timing of future audits, which he anticipates happening more frequently.