Keeping Ahead of Power Industry Regulations: A Q&A with James Holler
Critical infrastructure protection is a key issue for regulators. Once voluntary, the North American Electric Reliability Corporation's (NERC) critical infrastructure protection (CIP) requirements are now strictly enforced, with six figure fines awaiting both individuals and companies that do not demonstrate concrete steps to comply with the guidelines.
The regulations themselves keep getting tougher — the Federal Energy Regulatory Commission (FERC) recently proposed revisions to the CIP reliability standards that would broaden CIP-008-5 for incident reporting and response planning. The new rules would include mandatory reporting of cybersecurity incidents that compromise an entity's electronic security perimeter (ESP) or Electronic Access Control or Monitoring Systems (EACMS). If adopted, the new framework would mean companies need to report incidents when discovered, and well before they cause any harm, rather than only if one or more reliability tasks have been disrupted. This would be a game-changer for many teams, requiring them to continuously up their risk mitigation efforts.
We sat down with James Holler, Doble's new regulatory compliance director, to get more insight on the evolving landscape. James is leading the charge on compliance and cybersecurity mitigation initiatives for Doble's customers, which will include tools for robust infrastructure protection, including gap analysis, mock audits, training, managed services, and cyber vulnerability assessments.
What led you to a career in the power industry?
I got into the power industry by accident. I was working in compliance most of my post military career, concentrating heavily in the healthcare and insurance side of corporate America, when a friend asked if I had ever heard of NERC. I said that I had not, and he then handed me over 1,700 pages of the NERC requirements to read. After digesting the information, I realized there was a lot of opportunity and compliance work to be done in the power industry, and took a consulting position in charge of all regional NERC and FERC audits with Abidance Consulting.
Which key milestones, pieces of advice, or events have impacted your career the most?
When in the military, I experienced the quick pace of the compliance world first hand. My colleagues were struggling to adhere to requirements, and those in charge of enforcement didn't always know how to best hold folks accountable. I wanted to fix this divide in the corporate world by educating clients on what is expected of them from a regulatory perspective and what they can do about it, so they can make knowledgeable, confident compliance decisions.
What do you most enjoy about the type of work you do?
The industry is constantly changing. In accounting, two plus two will always equal four, but in regulatory compliance, what was true yesterday, isn't always true today. That's what makes it exciting.
What does the regulatory landscape in the power industry look like today?
It is fast moving and constantly changing. At any point in time there are at least a dozen requirements either being modified or created. There is no slowing down the NERC compliance “machine”. These regulations will continue to unfold at breakneck speeds, which is why companies need to stay informed on these developments so they can make sure they're not inadvertently breaking the rules.
Which legislation and trends should power companies pay most attention to, and why?
Definitely NERC's guidelines as they are the most impactful and wide-reaching, but it's important to remember many companies have other business-specific requirements they need to adhere to. If they are publicly traded, there's Sarbanes-Oxley to consider; if they have a government contract, FISCAM is involved; if they have medical staff on hand at a plant or other areas, HIPAA may come into play. There's also NIST 800-171, which deals with security and encryption that may be pertinent.
With all of this in mind, teams still need to do the actual job they were hired to do, which is to make and distribute power. This is why it pays to have a team dedicated strictly to compliance, and also consider bringing in a third party to handle the work for a fraction of the cost of training the internal team.
What is the biggest pain point around compliance in the power industry today?
The two major pain points are time and money. The staff at power companies is often stretched so thin there literally aren't enough hours in the day for them to do their “real job” and simultaneously keep up with the regulatory requirements. Doble's goal with rolling out the new compliance program is to enable clients to go back to doing what they do best, which is making and transmitting power, while we augment the day-to-day of NERC, FERC, and OSHA compliance. By doing this, we are confident our clients will be less stressed and assured they are not only complying with requirements, but also set for the future in a more cost-effective and less time-consuming way than the approach they take now.
Where do you see the industry heading in five to ten years?
I see the industry continuing to identify and respond to different vulnerabilities, for example, an
electromagnetic pulse (EMP) attack. The current administration is pushing hard for a protective “shield” for the power grid. This is such a serious matter that FERC and NERC are creating a notice of proposed rulemaking (NOPR) to address this. Regulatory compliance will play a huge role in protection. Doble's sister company, ETS-Lindgren, is an expert in this area and they're working with us to address these concerns for clients.
Learn More: Read relevant NERC CIP requirements around securing field device data.
Download eBook: Field Testing in a Cyber Insecure World