Meeting NERC change control requirements

There is a lot of talk about NERC and the effect its reliability standards will have on the power industry in North America. In March 2007, the Federal Energy Regulatory Commission (FERC) approved 83 NERC (North America Reliability Corporation) legally enforceable standards for the US bulk power systems, and in June 2007 compliance with these standards became mandatory and enforceable.

The NERC reliability standards are intended to define the functions needed to ensure that bulk electrical systems operate reliably. These standards include resource and demand balancing, facilities design, and transmission operations. Of particular interest for companies with SCADA and control systems in their plants are the standards related to critical infrastructure protection.

The first step in compliance with NERC regulations would be to identify the critical assets that need to be managed, as these assets become the basis for the subsequent standards. There are certainly many steps in meeting all of these requirements. One key standard focus is the requirement to implement change control and configuration management for critical cyber asset hardware or software. HMI/SCADA systems, DCS systems, and other control systems will comprise many of those assets.

In control

Change control is a process by which additions, deletions and changes are made to documents, software or other assets to identify, document and control changes to those components. In the context of a SCADA system, this is the set of configuration databases and files that comprise the running application such as screens, security configuration, tag database and other objects and files.

Some of the key elements of change control include access control, version control and auditing of changes to hardware and software assets. These elements can be enforced by process, using a software system or both. The benefit of using software is that the automated nature of it enables conformity to the NERC requirement continuously, without human intervention. Change control is important for establishing who in the organization has the ability to make changes to the identified assets either based on job function or geography.

Version control is critical to any change control process as it provides a historical record of changes to the asset configurations, as well as the ability to revert back if unexpected or incorrect changes are made.

Audit trails need to provide essential date, time, user name, activity and related comments on any change made to any asset in the system. It is also essential that changes to the system itself are recorded, as the system managing the assets becomes essential itself. Audit trails become a critical element, as they provide needed proof of compliance by maintaining a year of change control information on those critical assets.

Process

More is involved in meeting these change control requirements than just installing a system. In many cases it will require a change of process within the organization. It will be important to look at the current change process, no matter how ad hoc it may be, and adapt it to make use of a more structured approach.

There are software solutions such as GE Fanuc’s Proficy Change Management, which can help you meet the NERC requirements for change control and configuration management. Proficy Change Management is a client/server system that provides the essential elements of change control including version control, access control, audit trails and change notification.

It also provides an automated backup for SCADA and control assets to ensure that some of the elements of CIP-009 Recovery planning can be met by ensuring the correct version of a control program or SCADA system can be restored for disaster recovery.

No matter which solution you choose to implement, now is the time to get that ball rolling so you are able to easily meet the requirements that are inevitably coming your way.

As the Global Industry Director for GE Fanuc Intelligent Platform’s Infrastructure market, Marcel van Helten is responsible for driving innovative solutions into the market. GE Fanuc’s Infrastructure market includes water, oil and gas, and power. GE Fanuc Intelligent Platforms delivers the technology foundation for different innovative systems implemented by either GE or our partners for turbine control, balance of plant, transmission and distribution and sustainable energy generation.