NERC Compliance Monitoring - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

NERC Compliance Monitoring

Description:

http://www.nerc.com/filez/enforcement/index.html ... FOX News. Will a Smart Grid Repel or Open Doors to a Cyber Attack? Wall Street Journal Blogs ... – PowerPoint PPT presentation

Number of Views:440
Avg rating:3.0/5.0
Slides: 60
Provided by: wecc1Gu
Category:

less

Transcript and Presenter's Notes

Title: NERC Compliance Monitoring


1
NERC Compliance Monitoring Enforcement Program
Update
Craig Lawrence NERC Manager of Organization
Registration, Certification, and Monitoring
2
Electric Reliability Organization Overview
3
Compliance Program Design
  • Modeled after other industry-based
    self-regulatory organizations
  • Regional implementation
  • Regional Entities monitor users, owners,
    operators
  • Delegation agreements
  • NERC oversight role
  • Active oversight
  • Audits of regional implementation

4
NERC Compliance Staff Organization
Vice President Director of Compliance David
Hilt
Director of Regional Operations Joel deJesus
Administrative Assistants
Director of Compliance Program Operations
Interfaces Mike Moon
Manager Registration, Certification,
Monitoring Craig Lawrence
Manager Compliance Violation Investigations Earl
Shockley
Manager Enforcement Mitigation Tim
Kucey
Manager Compliance Analysis Reporting Tracking
TFE Mike DeLaura
Compliance Certification Auditor
Senior Compliance Investigators
Sr. Enforcement Compliance Analyst
Compliance Reporting Technical Analyst
Senior Regional Entity Compliance Program
Auditors
Senior Program Interface Specialist Vacant
Compliance Audit Group (CAG)
Regional Compliance Auditors
Compliance Process Administrator
Compliance Enforcement Administrator
Technical Analyst
Compliance Investigators
Data Management System Specialist
Organization Registration Engineer
Compliance Enforcement Analyst
Compliance Reporting Analysis Engineer
Compliance Monitoring Auditors
5
NERC Compliance Oversight of REs
  • REs to implement the CMEP as they are authorized
    and obligated to do in their region
  • Consistency and uniformity of CMEP implementation
  • Reliability Standards Audit Worksheets (RSAW)
  • Standardized CMEP process documents
  • Self-Reporting Form
  • Self-Certification Form
  • Mitigation Plan Submittal Form
  • Formal direction and guidance
  • e.g. Process Bulletins
  • NERC training
  • Auditor, CVI, CIP training
  • Audits of RE conformance to and performance of
    the Uniform CMEP

6
NERC Compliance Oversight of REs (CONTINUED)
  • Timeliness
  • Violation proceedings
  • Compliance Violation Investigations
  • Quality and Appropriateness
  • Substantive review and approval of REs CMEP
    process outputs
  • e.g. Violations, Mitigation Plans, Settlements
  • Direct, Support, and Participation
  • Lead or participate in CVIs CIQs
  • Lead or collaborate regarding Remedial Action
    Directives (RADs)

7
Organization Registration Certification Group
  • Creates the ERO Compliance Registry
  • Identifies owners, operators, and users of the
    bulk power system.
  • Registration information posted on NERC
    Websitewww.nerc.com/page.php?cid325
  • Certification for the following functions
    Reliability Coordinators, Balancing Authorities,
    and Transmission Operators
  • Compliance Enforcement Authority (CEA) for
    Regional Entity registered entity functions
    FRCC, WECC, SPP, TRE

8
Organization Registration Certification Group
(CONTINUED)
  • Proposed Amendment to the Rules of Procedure
    Section 500 and Appendix 5
  • Changes to requirements for overlap of functional
    footprints
  • Removal of requirement for Transitional
    certification and replacement with NERC Process
    for Provisional Certification
  • Changes to approval requirements for Appendix 5
  • Amendment recommendation is from CCC

9
Compliance Violation Investigations (CVIs) Group
  • In October 2008 NERC reorganized to perform
    Compliance Violation Investigations (CVI) at a
    level consistent with industry and government
    expectations
  • The CVI Group 1 Manager, 10 Compliance
    Investigators
  • The CVI Group is responsible for directing,
    leading, and tracking CVI and Compliance
    Inquiries (CIQ)
  • Compliance Inquiry (CIQ) Process A new informal
    review of facts, circumstances, and information
    to determine if a more formal compliance review
    is required (e.g. CVI or a Spot Check of
    Compliance)
  • Does not make a determination of compliance

10
Regional Operations Group
  • Established in Feb. 2009
  • Administers the regional delegation agreements
  • Facilitate consistency in application and advice
    to registered entities.
  • Establish policy through compliance bulletins
  • Assess performance

11
Regional Operations Group (CONTINUED)
  • Houses the Compliance Audit Group (CAG), which
    observes how regions carry out delegated
    activities, interacts with FERC staff observers,
    and conducts audits of the regions CMEP program
  • Includes audits of Regional Entity-led audits
  • Includes audits of Regional Entities
    implementation of the CMEP
  • Key initiatives
  • Support for semi-annual CIP self certification
  • Development of short form settlement processes
  • Updated RSAWs posted May 1, 2009
  • 2010 Implementation Plan

12
Enforcement Mitigation Group
  • Mitigation is key - remove the risk
  • FERC Policy on Enforcement lists mitigation
    factors it considers
  • Remedial Actions necessary in cases where
    reliability threat is eminent
  • Notice of Penalty Filings Penalties or
    Settlements
  • This stage completes the ERO processing of
    reliability standard violation proceedings
  • They are then posted at NERC website
    http//www.nerc.com/filez/enforcement/index.html
  • All are reviewed and approved by NERC Board
    Compliance Committee

13
Compliance Analysis, Reporting, and Tracking
(CART) Group
  • CART is responsible for
  • Leading the effort to develop procedures for
    collecting, analyzing, reporting, and tracking
    all alleged and confirmed violations and
    associated records including mitigation plans
  • Reporting on the status of violations and
    mitigation plans to the NERC BOT CC, FERC,
    Canadian Authorities, and the public
  • Implementing and expanding the NERC Compliance
    Reporting and Tracking System (CRATS) for the
    collection and processing of information from the
    Regional Entities.

14
Compliance Process
Periodic Reports
Self- Certification
Spot Check
Self-Report
Exception
CVI
Audits
Complaint
Region notifies NERC ( entity) of possible
alleged violation in 2-5 days NERC notifies
govt authority
Regions continue review and evaluation
Dismissed
Notice of alleged violation proposed penalty
sent to responsible entity
Settlement negotiations
CONFIDENTIAL
Entity accepts violation submits mitigation plan
Entity Contests
Settlement Reached
Mitigation Plan Region Review
Regional Hearing
Notice of confirmed violation sent to NERC
responsible entity
Appeals Process
Settlement Approved by BOTCC
NERC Review
NERC BOTCC reviews approves regions proposed
penalty
Govt Review
5 DAY WAITING PERIOD
Notice of penalty or settlement sent to FERC in
U.S. posted to NERC website (Processes differ
in Canada)
15
Status Of FERC Enforceable Alleged Violation and
Violation Mitigation Plans
16
Status Of FERC Enforceable Alleged Violations by
Region
17
Pending Violation SummaryJuly 2009
18
Rolling 12-Month Top 11 FERC Enforceable
Standards Violations
19
Pre-June 18th Violation Mitigation Plans
20
Backlog Omnibus Filing
21
OVERVIEW
  • NERC and Regional Entities are working on a
    Backlog Omnibus Filing
  • Purpose
  • To address through a one-time filing older
    violations that pre-date FERCs July 3, 2008
    Order
  • Help reduce the backlog to allow Regional
    Entities to focus on the more serious violations.
  • More than 500 violations are under consideration
    for inclusion in the filing
  • Target filing date is fourth quarter 2009

22
FILING FEATURES
  • Key features of the Backlog Omnibus Filing are
  • This filing will be limited to violations that
    occurred from June 18, 2007 through July 3, 2008
  • Violation candidates must not have posed a
    serious or significant risk to the reliability to
    the Bulk Electric System
  • Violation candidates include those with lower and
    medium VRFs
  • High VRF violations, such as those involving
    documentation issues, may be included if they
    meet the risk criteria

23
FILING FEATURES (CONTD)
  • For each Violation, there must be a completed
    Mitigation Plan
  • It must be certified by the Registered Entity and
    verified by the Regional Entity as completed
  • May include non-zero (0) dollar enforcement
    actions

24
NEXT STEPS
  • Next steps
  • Regional Entities have identified potential
    violation candidates
  • Preparing the support for the violation
    candidates to be included in the filing
  • Working to ensure Mitigation Plans are in place
    and to verify completion of Mitigation Plans
  • Final candidates will be submitted to NERC in
    August or early September, 2009
  • The NERC Board of Trustees Compliance Committee
    ultimately will review and approve the violations
    to be included in the filing
  • The filing will be submitted to the Federal
    Energy Regulatory Commission during the fourth
    quarter of 2009

25
Summary Report for Violations of Reliability
Standard PRC-005-1 System Protection
Maintenance and Testing
  • Board of Trustees Compliance Committee
  • August 4, 2009

26
PRC-005-1 Violation Analysis
  • Most frequently violated standard by Registered
    Entities.
  • PRC-005-1 focuses on Transmission and Generation
    Protection Systems Maintenance and Testing.
  • Major Requirements
  • Maintenance and Testing Program
  • Program Implementation

27
PRC-005-1 Background
  • Regional Compliance Implementation Group (RCIG)
    issued an assessment on monitoring and
    implementation of Standard PRC-005-1
  • Provided five key reasons for non-compliance and
    suggested process enhancements
  • NERC analysis provides additional statistical
    data to supplement the RCIG assessment

28
Current Violation Statistics
29
Violations by Region
30
Violations by Registered Functions
31
Violations by Discovery Method
32
Violations by Violation Date
33
Violations by Submit Date to NERC
34
Key Reasons for Noncompliance
  • Classified Violations into Four Buckets
  • Documentation
  • A lack of Records
  • Maintenance
  • Failure to perform maintenance and testing in
    prescribed intervals
  • Lacking basis
  • No basis to determine appropriate testing
    intervals
  • No Program
  • No maintenance or testing program exists

35
Violation Buckets
36
Recommendations
  • A documented maintenance and testing plan needs
    to be in place for devices that qualify as
    protection systems.
  • All devices that qualify as protection systems
    need to be included in the maintenance and
    testing program (re batteries were a common
    item missed).
  • Maintenance and testing programs need to be
    completed on schedule and within defined
    intervals.
  • Testing programs need to include the appropriate
    basis of testing.

37
Summary Report for Violations of Reliability
Standard CIP-004-1 Cyber Security- Personnel
Training
38
CIP-004-1 Violation Analysis
  • CIP-004-1 focused on Cyber Security Personnel
    and Training
  • Major Requirements of this standard
  • Awareness of Security Program
  • Cyber Security Training
  • Personnel Risk Assessment
  • Personnel Access to Critical Cyber Assets

39
Current Violation Statistics
40
Violations by Region
41
Violations by Registered Functions
42
Violations by Discovery Method
43
Violations by Violation Date
44
Key Reasons for Noncompliance
  • Classified Violations into Four Buckets
  • Documentation a lack of Records
  • Training training not offered / completed on
    time
  • Risk Assessment background checks not complete
  • Access granted improper access to critical
    cyber assets

45
Violation Buckets
46
Recommendations
  • For those with access to Critical Cyber Assets
  • All employees, including contractors and service
    vendors, need to be trained within 90 days of
    authorization.
  • Risk assessments need to be completed within
    given time frames and focused on appropriate
    pieces of information.
  • Access lists need to be changed upon the
    termination or transfer of employees from or to
    areas that contain Critical Cyber Assets, and
    frequently updated to contain contractors and
    service vendors.

47
CIP Program Prospective
48
Overview
  • What this is
  • General overview of CIPs, including overall
    observations and statistics based on 12/31/2008
    reported data, and a preview of the intent of the
    Technical Feasibility Exception process (TFE)
  • What this is NOT
  • Specific information to meet the cyber standards,
    or detailed procedures for TFE

49
Cyber Security Has becomeVERY High Profile
  • 4/8/2009 Wall Street Journal ran a large
    article above the fold on the front page
  • Electricity Grid in U.S. Penetrated by Spies
  • WASHINGTON -- Cyber spies have penetrated the
    U.S. electrical grid and left behind software
    programs that could be used to disrupt the
    system, according to current and former
    national-security officials.
  • Did anyone notice?

50
Cyber Security 4/9/09 after WSJ Article
  • Television
  • ABC News (Good Morning America)
  • NBC Nightly News
  • Radio
  • NPR (All Things Considered)
  • Print / Online
  • Cyberspies have hacked into power grid, officials
    say
  • USA Today
  • What if Russia or China Cut Off Your Electricity?
  • ABC News
  • US concerned power grid vulnerable to
    cyber-attack
  • Reuters
  • Electrical grid's operator tries to stay ahead of
    hackers
  • Houston Chronicle
  • Utilities on guard against power grid foes
  • Kansas City Star

51
Cyber Security 4/9/09 after WSJ Article
  • The Feds' Timely Cyber Alarm
  • Forbes
  • Hackers reportedly have embedded code in power
    grid
  • CNN
  • AP source Spies compromised US electric grid
  • Associated Press
  • Spies Penetrate U.S. Electrical Grid
  • CBS News
  • Cyberspies Penetrate U.S. Power Grid, Leave
    Software That Could Disrupt System
  • FOX News
  • Will a Smart Grid Repel or Open Doors to a Cyber
    Attack?
  • Wall Street Journal Blogs
  • Malware Infections Lurk in U.S. Electricity Grid,
    WSJ reports
  • PC World
  • Report Cybercriminals have penetrated U.S.
    electrical grid
  • ComputerWorld
  • Put NSA in Charge of Cyber Security, Or the Power
    Grid Gets It
  • WiredNews

52
General Information onData Analysis
  • Data for the next two slides on CIPs reporting is
    limited based on available data points at the
    time of the survey
  • Overall data was evaluated and extremely
    accurate, but data does not include issues such
    as company size or impact.
  • Size of the Company was not an available data
    point (i.e. 100MW BA MAY or may not be
    significant))
  • However, overall trends represent an accurate
    picture of December 31st, 2008 reporting
  • July 2009 CIPs surveys will add additional
    information to help identify facilities with
    minimal impact

53
Transmission Owners reportingCritical Assets
54
Generation Owners/Operators reporting Critical
Assets
55
Excerpt from CSO letter on 4/8/2009
  • as we consider cyber security, a host of new
    considerations arise. Rather than considering the
    unexpected failure of a digital protection and
    control device within a substation, for example,
    system planners and operators will need to
    consider the potential for the simultaneous
    manipulation of all devices in the substation or,
    worse yet, across multiple substations. I have
    intentionally used the word manipulate here, as
    it is very important to consider the misuse, not
    just loss or denial, of a cyber asset and the
    resulting consequences, to accurately identify
    CAs under this new cyber security paradigm.

56
TFE Overview
  • Applicable only to specific requirements in
    CIP-002 through CIP-009
  • Basis for TFE Approval
  • When Strict Compliance of the Applicable
    Requirement
  • Is not technically feasible
  • Is not operationally feasible
  • Is precluded by technical limitations
  • Could adversely affect the reliability of the
    Bulk Electric System to an extent that outweighs
    the reliability benefits of Strict Compliance
    with the Applicable Requirement
  • Software not yet designed or still in development
  • Limited availability of required equipment or
    components
  • Would pose safety risks or issues that outweigh
    the reliability benefits of Strict Compliance
  • Would conflict with, or cause the Responsible
    Entity to be non-compliant with a separate
    statutory or regulatory requirement that cannot
    be waived

57
Evolution of TFE Procedures
  • January 18 2008 - Order No. 706 FERC directs
    NERC to develop a set of criteria to provide
    accountability when a responsible entity relies
    on the TFEs in specific Requirements of the CIP
    Reliability Standards and to review TFE claims
    in the context of accelerated audits.
  • March 16, 2009 - NERC posts for industry comment
    proposed RoP change to allow FERC staff to
    pre-approve TFE requests to allow registered
    entities more certainty to make capital and
    resource decisions. 50 comments from the
    industry.
  • July 1, 2009 - Approximately 360 Registered
    Entities became obligated to be compliant with
    standards for which TFEs can be taken. NERC
    issues compliance bulletin for an interim process
    to have registered entities notify regional
    entities of TFE requests for consideration in
    audits and investigation.
  • August 2009 - NERC to post revised proposal
    developed in conjunction with the regions.
    Proposal would have regional entities provide
    substantive review of TFE submissions with NERC
    oversight for consistency.
  • September 2009 - Regional Entities to make
    available forms for interim submission of TFEs

58
TFE Procedure
  • Bottom line still under review, but we believe
    we have addressed industry concerns and will be
    facilitating TFE review pending final review and
    approval by FERC.

59
Questions
59
Write a Comment
User Comments (0)
About PowerShow.com