Title: NERC Compliance Monitoring
1NERC Compliance Monitoring Enforcement Program
Update
Craig Lawrence NERC Manager of Organization
Registration, Certification, and Monitoring
2Electric Reliability Organization Overview
3Compliance Program Design
- Modeled after other industry-based
self-regulatory organizations - Regional implementation
- Regional Entities monitor users, owners,
operators - Delegation agreements
- NERC oversight role
- Active oversight
- Audits of regional implementation
4NERC Compliance Staff Organization
Vice President Director of Compliance David
Hilt
Director of Regional Operations Joel deJesus
Administrative Assistants
Director of Compliance Program Operations
Interfaces Mike Moon
Manager Registration, Certification,
Monitoring Craig Lawrence
Manager Compliance Violation Investigations Earl
Shockley
Manager Enforcement Mitigation Tim
Kucey
Manager Compliance Analysis Reporting Tracking
TFE Mike DeLaura
Compliance Certification Auditor
Senior Compliance Investigators
Sr. Enforcement Compliance Analyst
Compliance Reporting Technical Analyst
Senior Regional Entity Compliance Program
Auditors
Senior Program Interface Specialist Vacant
Compliance Audit Group (CAG)
Regional Compliance Auditors
Compliance Process Administrator
Compliance Enforcement Administrator
Technical Analyst
Compliance Investigators
Data Management System Specialist
Organization Registration Engineer
Compliance Enforcement Analyst
Compliance Reporting Analysis Engineer
Compliance Monitoring Auditors
5NERC Compliance Oversight of REs
- REs to implement the CMEP as they are authorized
and obligated to do in their region - Consistency and uniformity of CMEP implementation
- Reliability Standards Audit Worksheets (RSAW)
- Standardized CMEP process documents
- Self-Reporting Form
- Self-Certification Form
- Mitigation Plan Submittal Form
- Formal direction and guidance
- e.g. Process Bulletins
- NERC training
- Auditor, CVI, CIP training
- Audits of RE conformance to and performance of
the Uniform CMEP
6NERC Compliance Oversight of REs (CONTINUED)
- Timeliness
- Violation proceedings
- Compliance Violation Investigations
- Quality and Appropriateness
- Substantive review and approval of REs CMEP
process outputs - e.g. Violations, Mitigation Plans, Settlements
- Direct, Support, and Participation
- Lead or participate in CVIs CIQs
- Lead or collaborate regarding Remedial Action
Directives (RADs)
7Organization Registration Certification Group
- Creates the ERO Compliance Registry
- Identifies owners, operators, and users of the
bulk power system. - Registration information posted on NERC
Websitewww.nerc.com/page.php?cid325 - Certification for the following functions
Reliability Coordinators, Balancing Authorities,
and Transmission Operators - Compliance Enforcement Authority (CEA) for
Regional Entity registered entity functions
FRCC, WECC, SPP, TRE
8Organization Registration Certification Group
(CONTINUED)
- Proposed Amendment to the Rules of Procedure
Section 500 and Appendix 5 - Changes to requirements for overlap of functional
footprints - Removal of requirement for Transitional
certification and replacement with NERC Process
for Provisional Certification - Changes to approval requirements for Appendix 5
- Amendment recommendation is from CCC
9Compliance Violation Investigations (CVIs) Group
- In October 2008 NERC reorganized to perform
Compliance Violation Investigations (CVI) at a
level consistent with industry and government
expectations - The CVI Group 1 Manager, 10 Compliance
Investigators - The CVI Group is responsible for directing,
leading, and tracking CVI and Compliance
Inquiries (CIQ) - Compliance Inquiry (CIQ) Process A new informal
review of facts, circumstances, and information
to determine if a more formal compliance review
is required (e.g. CVI or a Spot Check of
Compliance) - Does not make a determination of compliance
10Regional Operations Group
- Established in Feb. 2009
- Administers the regional delegation agreements
- Facilitate consistency in application and advice
to registered entities. - Establish policy through compliance bulletins
- Assess performance
11Regional Operations Group (CONTINUED)
- Houses the Compliance Audit Group (CAG), which
observes how regions carry out delegated
activities, interacts with FERC staff observers,
and conducts audits of the regions CMEP program - Includes audits of Regional Entity-led audits
- Includes audits of Regional Entities
implementation of the CMEP - Key initiatives
- Support for semi-annual CIP self certification
- Development of short form settlement processes
- Updated RSAWs posted May 1, 2009
- 2010 Implementation Plan
12Enforcement Mitigation Group
- Mitigation is key - remove the risk
- FERC Policy on Enforcement lists mitigation
factors it considers - Remedial Actions necessary in cases where
reliability threat is eminent - Notice of Penalty Filings Penalties or
Settlements - This stage completes the ERO processing of
reliability standard violation proceedings - They are then posted at NERC website
http//www.nerc.com/filez/enforcement/index.html - All are reviewed and approved by NERC Board
Compliance Committee
13Compliance Analysis, Reporting, and Tracking
(CART) Group
- CART is responsible for
- Leading the effort to develop procedures for
collecting, analyzing, reporting, and tracking
all alleged and confirmed violations and
associated records including mitigation plans - Reporting on the status of violations and
mitigation plans to the NERC BOT CC, FERC,
Canadian Authorities, and the public - Implementing and expanding the NERC Compliance
Reporting and Tracking System (CRATS) for the
collection and processing of information from the
Regional Entities.
14Compliance Process
Periodic Reports
Self- Certification
Spot Check
Self-Report
Exception
CVI
Audits
Complaint
Region notifies NERC ( entity) of possible
alleged violation in 2-5 days NERC notifies
govt authority
Regions continue review and evaluation
Dismissed
Notice of alleged violation proposed penalty
sent to responsible entity
Settlement negotiations
CONFIDENTIAL
Entity accepts violation submits mitigation plan
Entity Contests
Settlement Reached
Mitigation Plan Region Review
Regional Hearing
Notice of confirmed violation sent to NERC
responsible entity
Appeals Process
Settlement Approved by BOTCC
NERC Review
NERC BOTCC reviews approves regions proposed
penalty
Govt Review
5 DAY WAITING PERIOD
Notice of penalty or settlement sent to FERC in
U.S. posted to NERC website (Processes differ
in Canada)
15Status Of FERC Enforceable Alleged Violation and
Violation Mitigation Plans
16Status Of FERC Enforceable Alleged Violations by
Region
17Pending Violation SummaryJuly 2009
18Rolling 12-Month Top 11 FERC Enforceable
Standards Violations
19Pre-June 18th Violation Mitigation Plans
20Backlog Omnibus Filing
21OVERVIEW
- NERC and Regional Entities are working on a
Backlog Omnibus Filing - Purpose
- To address through a one-time filing older
violations that pre-date FERCs July 3, 2008
Order - Help reduce the backlog to allow Regional
Entities to focus on the more serious violations. - More than 500 violations are under consideration
for inclusion in the filing - Target filing date is fourth quarter 2009
22FILING FEATURES
- Key features of the Backlog Omnibus Filing are
- This filing will be limited to violations that
occurred from June 18, 2007 through July 3, 2008 - Violation candidates must not have posed a
serious or significant risk to the reliability to
the Bulk Electric System - Violation candidates include those with lower and
medium VRFs - High VRF violations, such as those involving
documentation issues, may be included if they
meet the risk criteria
23FILING FEATURES (CONTD)
- For each Violation, there must be a completed
Mitigation Plan - It must be certified by the Registered Entity and
verified by the Regional Entity as completed - May include non-zero (0) dollar enforcement
actions
24NEXT STEPS
- Next steps
- Regional Entities have identified potential
violation candidates - Preparing the support for the violation
candidates to be included in the filing - Working to ensure Mitigation Plans are in place
and to verify completion of Mitigation Plans - Final candidates will be submitted to NERC in
August or early September, 2009 - The NERC Board of Trustees Compliance Committee
ultimately will review and approve the violations
to be included in the filing - The filing will be submitted to the Federal
Energy Regulatory Commission during the fourth
quarter of 2009
25Summary Report for Violations of Reliability
Standard PRC-005-1 System Protection
Maintenance and Testing
- Board of Trustees Compliance Committee
- August 4, 2009
26PRC-005-1 Violation Analysis
- Most frequently violated standard by Registered
Entities. - PRC-005-1 focuses on Transmission and Generation
Protection Systems Maintenance and Testing. - Major Requirements
- Maintenance and Testing Program
- Program Implementation
27PRC-005-1 Background
- Regional Compliance Implementation Group (RCIG)
issued an assessment on monitoring and
implementation of Standard PRC-005-1 - Provided five key reasons for non-compliance and
suggested process enhancements - NERC analysis provides additional statistical
data to supplement the RCIG assessment
28Current Violation Statistics
29Violations by Region
30Violations by Registered Functions
31Violations by Discovery Method
32Violations by Violation Date
33Violations by Submit Date to NERC
34Key Reasons for Noncompliance
- Classified Violations into Four Buckets
- Documentation
- A lack of Records
- Maintenance
- Failure to perform maintenance and testing in
prescribed intervals - Lacking basis
- No basis to determine appropriate testing
intervals - No Program
- No maintenance or testing program exists
35Violation Buckets
36Recommendations
- A documented maintenance and testing plan needs
to be in place for devices that qualify as
protection systems. - All devices that qualify as protection systems
need to be included in the maintenance and
testing program (re batteries were a common
item missed). - Maintenance and testing programs need to be
completed on schedule and within defined
intervals. - Testing programs need to include the appropriate
basis of testing.
37Summary Report for Violations of Reliability
Standard CIP-004-1 Cyber Security- Personnel
Training
38CIP-004-1 Violation Analysis
- CIP-004-1 focused on Cyber Security Personnel
and Training - Major Requirements of this standard
- Awareness of Security Program
- Cyber Security Training
- Personnel Risk Assessment
- Personnel Access to Critical Cyber Assets
39Current Violation Statistics
40Violations by Region
41Violations by Registered Functions
42Violations by Discovery Method
43Violations by Violation Date
44Key Reasons for Noncompliance
- Classified Violations into Four Buckets
- Documentation a lack of Records
- Training training not offered / completed on
time - Risk Assessment background checks not complete
- Access granted improper access to critical
cyber assets
45Violation Buckets
46Recommendations
- For those with access to Critical Cyber Assets
- All employees, including contractors and service
vendors, need to be trained within 90 days of
authorization. - Risk assessments need to be completed within
given time frames and focused on appropriate
pieces of information. - Access lists need to be changed upon the
termination or transfer of employees from or to
areas that contain Critical Cyber Assets, and
frequently updated to contain contractors and
service vendors.
47CIP Program Prospective
48Overview
- What this is
- General overview of CIPs, including overall
observations and statistics based on 12/31/2008
reported data, and a preview of the intent of the
Technical Feasibility Exception process (TFE) -
- What this is NOT
- Specific information to meet the cyber standards,
or detailed procedures for TFE
49Cyber Security Has becomeVERY High Profile
- 4/8/2009 Wall Street Journal ran a large
article above the fold on the front page - Electricity Grid in U.S. Penetrated by Spies
- WASHINGTON -- Cyber spies have penetrated the
U.S. electrical grid and left behind software
programs that could be used to disrupt the
system, according to current and former
national-security officials. - Did anyone notice?
-
50Cyber Security 4/9/09 after WSJ Article
- Television
- ABC News (Good Morning America)
- NBC Nightly News
- Radio
- NPR (All Things Considered)
- Print / Online
- Cyberspies have hacked into power grid, officials
say - USA Today
- What if Russia or China Cut Off Your Electricity?
- ABC News
- US concerned power grid vulnerable to
cyber-attack - Reuters
- Electrical grid's operator tries to stay ahead of
hackers - Houston Chronicle
- Utilities on guard against power grid foes
- Kansas City Star
51Cyber Security 4/9/09 after WSJ Article
- The Feds' Timely Cyber Alarm
- Forbes
- Hackers reportedly have embedded code in power
grid - CNN
- AP source Spies compromised US electric grid
- Associated Press
- Spies Penetrate U.S. Electrical Grid
- CBS News
- Cyberspies Penetrate U.S. Power Grid, Leave
Software That Could Disrupt System - FOX News
- Will a Smart Grid Repel or Open Doors to a Cyber
Attack? - Wall Street Journal Blogs
- Malware Infections Lurk in U.S. Electricity Grid,
WSJ reports - PC World
- Report Cybercriminals have penetrated U.S.
electrical grid - ComputerWorld
- Put NSA in Charge of Cyber Security, Or the Power
Grid Gets It - WiredNews
52General Information onData Analysis
- Data for the next two slides on CIPs reporting is
limited based on available data points at the
time of the survey - Overall data was evaluated and extremely
accurate, but data does not include issues such
as company size or impact. - Size of the Company was not an available data
point (i.e. 100MW BA MAY or may not be
significant)) - However, overall trends represent an accurate
picture of December 31st, 2008 reporting - July 2009 CIPs surveys will add additional
information to help identify facilities with
minimal impact -
53Transmission Owners reportingCritical Assets
54Generation Owners/Operators reporting Critical
Assets
55Excerpt from CSO letter on 4/8/2009
- as we consider cyber security, a host of new
considerations arise. Rather than considering the
unexpected failure of a digital protection and
control device within a substation, for example,
system planners and operators will need to
consider the potential for the simultaneous
manipulation of all devices in the substation or,
worse yet, across multiple substations. I have
intentionally used the word manipulate here, as
it is very important to consider the misuse, not
just loss or denial, of a cyber asset and the
resulting consequences, to accurately identify
CAs under this new cyber security paradigm.
56TFE Overview
- Applicable only to specific requirements in
CIP-002 through CIP-009 - Basis for TFE Approval
- When Strict Compliance of the Applicable
Requirement - Is not technically feasible
- Is not operationally feasible
- Is precluded by technical limitations
- Could adversely affect the reliability of the
Bulk Electric System to an extent that outweighs
the reliability benefits of Strict Compliance
with the Applicable Requirement - Software not yet designed or still in development
- Limited availability of required equipment or
components - Would pose safety risks or issues that outweigh
the reliability benefits of Strict Compliance - Would conflict with, or cause the Responsible
Entity to be non-compliant with a separate
statutory or regulatory requirement that cannot
be waived
57Evolution of TFE Procedures
- January 18 2008 - Order No. 706 FERC directs
NERC to develop a set of criteria to provide
accountability when a responsible entity relies
on the TFEs in specific Requirements of the CIP
Reliability Standards and to review TFE claims
in the context of accelerated audits. - March 16, 2009 - NERC posts for industry comment
proposed RoP change to allow FERC staff to
pre-approve TFE requests to allow registered
entities more certainty to make capital and
resource decisions. 50 comments from the
industry. - July 1, 2009 - Approximately 360 Registered
Entities became obligated to be compliant with
standards for which TFEs can be taken. NERC
issues compliance bulletin for an interim process
to have registered entities notify regional
entities of TFE requests for consideration in
audits and investigation. - August 2009 - NERC to post revised proposal
developed in conjunction with the regions.
Proposal would have regional entities provide
substantive review of TFE submissions with NERC
oversight for consistency. - September 2009 - Regional Entities to make
available forms for interim submission of TFEs
58TFE Procedure
- Bottom line still under review, but we believe
we have addressed industry concerns and will be
facilitating TFE review pending final review and
approval by FERC.
59Questions
59