How to Reduce Visitor Control Risk
in a Power Utility (CIP-006 R2)
CIP-006 covers physical security and visitor control for power utilities. It’s also a top source of NERC/CIP violations and fines almost every year. To help utilities proactively address issues around CIP-006 R2 visitor control, we analyzed over 1 million data points, looking for potential failures that could become violations. Data included* visitor and escort log entries from our high- and medium-impact site users with Gatekeeper deployed.
The findings below represent would-be CIP-006 R2 failures that were stopped by our hardware and software. If not prevented, each could have resulted in a possible violation. Ready to solve your visitor control problems? Jump to the solution.
CIP-006 R2 Failures: Common Visitor Control Problems
Following are the most common sources of possible CIP-006 R2 violations from our data analysis. Our findings may help you quantify and address your current CIP-006 R2 compliance risk.
Incomplete and Inaccurate Log Data
In roughly 3-6%* of all power utility visits, personnel attempted to finish a check-in with incomplete or inaccurate log entries. For a 100+ location power utility, this could equate to thousands of inaccurate and incomplete data entries per year—each one a possible violation.
Incomplete PSP Logouts
An escort that attempts to leave a CIP area without logging out their visitors could generate a CIP-006 R2 violation. Our data shows that in roughly 3-6%* of all visits, the escort attempted to move on without proper logouts.
A surprising number of escort-required visits are attempted by a person who is not a CIP-authorized escort. An unauthorized escort could be triggered by a lack or lapse of escort training, a justifiable business need to be in the area, or a current PRA on file.
Roughly 25%* of all would-be violations stemmed from the same person or group of people.
Contractors and Employees Are Equal in the Mistakes
We expected non-employees to generate the lion’s share of CIP-006 R2 mistakes. Not so. Employees are equally culpable in causing would-be violations.
We have a way to manage risk that wasn’t possible before. Where Gatekeeper is deployed, I don’t have to worry about [compliance risk in those sites].
Sr. Mgr. Critical Infrastructure + Compliance
We moved away from another electronic solution that wasn’t written for the [CIP-006-R2] standard. It wasn’t as effective. We don’t need a backup method [with Gatekeeper]. We’re completely confident that the system will always be available, and the support is exceptional.
Former WECC Auditor; CIP Team, Corporate Security Group
We have real-time visibility of people in CIP areas and know about risk right away. I used to have to wait over a month to know what my exposure was. Now we can quickly understand where the problem is and address it immediately.
Senior Governance + Risk Analyst, NERC/CIP Program Management
How to Stop Visitor Control Violations: Enforce
To prevent CIP-006 R2 violations and fines, you must do more than check in visitors. Your system must eliminate human errors and enforce your policies. It must be built for CIP-006 R2. Any system that does not ensure complete and accurate capture of each log entry, does not validate each person’s authorization, and does not enforce your requirements will be rife with human performance errors, which is the primary root cause of CIP-006 R2 violations. A system that automatically enforces compliance requirements is the solution. Here’s what that looks like:
Technology Is Always On
To have a complete record of visitors across all your sites, your system must always be available to capture visitor data. Can your system capture data with no connectivity, if hardware breaks, or if your software experiences downtime? Is your solution proactively pinging all your devices to ensure they are always on?
Validate Data Is Accurate and Correctly Captured for Your Audit Later
To prevent violations, your visitor intake must validate that data captured is accurate and complete and must validate that every would-be escort is authorized to do so.
For CIP-006 R2 specifically, is your information captured in the correct order for an auditor to review later, or does your team need to spend countless hours cleaning up when a CIP audit request comes in? To enforce the regulation, your solution must be built for the regulation.
Automatically Enforce CIP-006 R2 Requirements
Data show us what passive enforcement leads to thousands of possible violations sitting in your logs. To drastically reduce compliance risk, use a system with strong internal controls that stop violations before they occur.
Always Know Real-Time Risk
Knowing your risk in real time and across all locations pivots CIP-006 risk assessment from a 90-day lagging indicator to a leading one.
Senior Account Manager