welcome
play

Welcome! NERC 2017 Standards and Compliance Workshop JW Marriott - PowerPoint PPT Presentation

Jul 03, 2023 •441 likes •1.52k views

Welcome! NERC 2017 Standards and Compliance Workshop JW Marriott New Orleans July 11-12, 2017 NERC Antitrust Compliance Guidelines It is NERCs policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably

  1. 2017 Enhancement Features Recap • All vote-related functions located on the “Ballot Events” page • The term “Survey” replaced with the term “Comment Form” • Proceed directly to the “Real-time Comments” page without submitting a comment • Select members from the Registered Ballot Body (RBB) when creating groups • No confirmation necessary for negative opinions for Non- binding Polls • Sort and/or filter view on all pages will be retained 9 RELI ABI LI TY | ACCOUNTABI LI TY

  2. Standards I nformation Links • NERC’s Balloting and Commenting page • SBS Quick Reference Guide • SBS Tutorial • 2017 SBS Enhancement Presentation slides • Administrative Support: ballotadmin@nerc.net • NERC IT Support: https://support.nerc.net/ • Standard Processes Manual • Appendix 3D – RBB Criteria • SBS Enhancements Webinar 10 RELI ABI LI TY | ACCOUNTABI LI TY

  3. 11 RELI ABI LI TY | ACCOUNTABI LI TY

  4. Break Webinar participants: We will return at 3:15 p.m. Central

  5. Entity Registration Update Ryan Stewart, NERC Manager of Registration Services 2017 Standards and Compliance Workshop July 11, 2017

  6. Site Overview 2 RELIABILITY | ACCOUNTABILITY

  7. Portal CFR Landing Page 3 RELIABILITY | ACCOUNTABILITY

  8. CFR Landing Page 4 RELIABILITY | ACCOUNTABILITY

  9. CFR Record Dropdown Options 5 RELIABILITY | ACCOUNTABILITY

  10. Portal CFR Detailed View 6 RELIABILITY | ACCOUNTABILITY

  11. Portal CFR Detailed View 7 RELIABILITY | ACCOUNTABILITY

  12. Basic I nformation 8 RELIABILITY | ACCOUNTABILITY

  13. Basic I nformation 9 RELIABILITY | ACCOUNTABILITY

  14. View Matrix Snapshot 10 RELIABILITY | ACCOUNTABILITY

  15. Entity Contacts 11 RELIABILITY | ACCOUNTABILITY

  16. Choose Requirements 12 RELIABILITY | ACCOUNTABILITY

  17. Set Responsibilities 13 RELIABILITY | ACCOUNTABILITY

  18. Requirement Notes Modal 14 RELIABILITY | ACCOUNTABILITY

  19. Upload Documents 15 RELIABILITY | ACCOUNTABILITY

  20. Submit CFR 16 RELIABILITY | ACCOUNTABILITY

  21. CRM CFR Landing Page 17 RELIABILITY | ACCOUNTABILITY

  22. Regional CFR Summary View 18 RELIABILITY | ACCOUNTABILITY

  23. CFR Matrix View 19 RELIABILITY | ACCOUNTABILITY

  24. NERC CFR Detailed View 20 RELIABILITY | ACCOUNTABILITY

  25. Reporting 21 RELIABILITY | ACCOUNTABILITY

  26. Downloadable CFR Matrix 22 RELIABILITY | ACCOUNTABILITY

  27. 23 RELIABILITY | ACCOUNTABILITY

  28. Cyber Security Supply Chain Risk Management Soo Jin Kim, NERC Manager of Standards Development 2017 Standards and Compliance Workshop July 11, 2017

  29. FERC Order No. 829 [the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. - Order No. 829, July 2016 • Standard(s) must be filed by September 27, 2017 2 RELI ABI LI TY | ACCOUNTABI LI TY

  30. Standards Development Process July 2017 Oct 2016 – Mar 2017 May 2017 Final Ballots September 2017 2 nd Formal Comment Tech Conference August 2017 Deadline for filing 1 st Formal Balloting and Balloting NERC Board Adoption • First formal comment period January 20 – March 6, 2017 • Second formal comment period May 2 – June 15, 2017 3 RELI ABI LI TY | ACCOUNTABI LI TY

  31. June Ballot Results Ballots Non-binding Polls Name Approval Supportive Opinions CIP-005-6 89.84% 88.53% CIP-010-3 82.92% 88.02% CIP-013-1 88.64% 89.57% 4 RELI ABI LI TY | ACCOUNTABI LI TY

  32. Final Ballot • Standard drafting team (SDT) did not make substantive changes to requirements Clarifications • CIP-013-1 Requirement R1 Part 1.2.4  Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity • CIP-010-3 Requirement R1 Part 1.6  Prior to a change that deviates from the existing baseline configuration…verify software identity and integrity.  Measure revised to include evidence of automated update process • Updated CIP-010-3 Guidelines and Technical Basis section 5 RELI ABI LI TY | ACCOUNTABI LI TY

  33. Comment Responses Common questions addressed by the SDT • CIP-013-1 Requirements to address software verifications and vendor remote access are not duplicative of CIP-010/CIP-005  Procurement versus Operational • CIP-005-6 Requirements for vendor remote access do not require session recording • CIP-010-3 Requirements for software verifications apply to baseline changes only (do not apply to new system installation) • Software verifications do not need to be repeated for each BES Cyber System 6 RELI ABI LI TY | ACCOUNTABI LI TY

  34. I mplementation Guidance • Implementation Guidance developed by the SDT has been endorsed by the ERO Enterprise • Provides examples of approaches for complying with CIP-013-1  Risk-based approach to Cyber Security Supply Chain Risk Management plans (R1)  Processes for planning to procure BES Cyber Systems that identify and assess cyber security risks from vendor products or services (R1 Part 1.1)  Request-for-proposal or negotiation provisions to address topics in R1 Part 1.2.1 – 1.2.6  Processes for periodically reviewing and approving plans (R3) 7 RELI ABI LI TY | ACCOUNTABI LI TY

  35. Next Steps • Standards will be submitted for the August 10, 2017 NERC Board of Trustees meeting • FERC Order No. 830 filing deadline is September 27, 2017 • After filing, priority shifts to development of a comprehensive strategy for implementation (pending regulatory approval) 8 RELI ABI LI TY | ACCOUNTABI LI TY

  36. Contact I nformation • Refer to the Project 2016-03 page for more information • Email laura.anderson@nerc.net to join the email list • Corey Sellers, Southern Company, SDT Chair  Email at mcseller@southernco.com • JoAnn Murphy, PJM Interconnection, SDT Vice Chair  Email at joann.murphy@pjm.com 9 RELI ABI LI TY | ACCOUNTABI LI TY

  37. 10 RELI ABI LI TY | ACCOUNTABI LI TY

  38. Coordinated Oversight Program for Multi-Region Registered Entities Kim Israelsson, Manager, Compliance Program Coordination and Process Integration, WECC 2017 Standards and Compliance Workshop July 11, 2017

  39. Agenda • Program objective and benefits • Inclusion criteria • Participation requests • 2016 participant survey feedback • Program enhancements • Current participation • ERO Enterprise contacts 2 RELI ABI LI TY | ACCOUNTABI LI TY

  40. Objective • Focus on risk to reliability, while improving:  Efficiency o Single point of contact o Streamlining processes  Consistency o Compliance Monitoring and Enforcement Program (CMEP) activities o Organization Registration and Certification Program (ORCP) activities o Reporting requirements and tools 3 RELI ABI LI TY | ACCOUNTABI LI TY

  41. Benefits of Coordinated Oversight for MRREs • Lead Regional Entity (LRE) and Affected Regional Entities (ARE) coordinated to provide:  Single point of contact for CMEP, ORCP, and other activities  Centralized monitoring, enforcement, and reporting 4 RELI ABI LI TY | ACCOUNTABI LI TY

  42. Criteria for I nclusion in Coordinated Oversight Program • Registered Entity  Operates in or owns assets in two or more Regional Entity(ies) jurisdictions  Verifies its Primary Compliance Contact (PCC), Authorizing Officer (AO), or Primary Compliance Officer (PCO) contact information is accurate prior to submitting request for inclusion  Designates a PCC 5 RELI ABI LI TY | ACCOUNTABI LI TY

  43. Participation Request Process • PCC, AO, or PCO submits initial request to designated NERC or Regional Entity MRRE coordinated oversight contacts • Requests may include the following information:  Registered Entity name(s)  NERC Compliance Registry (NCR) Number(s) to be included  Applicable Regional Entities  Applicable registered functions  PCC information for MRRE  Description of registered entity(ies) compliance program  Description of facilities 6 RELI ABI LI TY | ACCOUNTABI LI TY

  44. 2016 Participant Survey • Survey sent to 40 MRREs in Coordinated Oversight Program in June 2016  Responses received from all 40 MRREs • Survey requested feedback on:  Implementation and streamlining of activities  LRE and ARE coordination  Overall satisfaction • General Comments  97% of MRREs support continued participation  84% of the MRREs believe it fulfills the objectives 7 RELI ABI LI TY | ACCOUNTABI LI TY

  45. Participant Survey – Value Statements • “The MRRE program has been a welcome enhancement for our compliance efforts.” • “Overall, it has been a very positive experience for our organization.” • “The MRRE program has been extremely successful in streamlining processes and more effectively utilizing resources.” • “Entity’s assessment at this early stage is “so far, so good.” We have no suggestions for improvement at present. The program has been quite beneficial for us.” 8 RELI ABI LI TY | ACCOUNTABI LI TY

  46. Participant Survey – I mprovement Opportunities • Inherent Risk Assessments (IRA) • Data systems and portals for data collection  Technical Feasibility Exceptions (TFEs) submittals  Periodic Data Submittals • Communication  Information about process and what to expect  Guidance on changes to registered entity assets and potential impacts on program participation 9 RELI ABI LI TY | ACCOUNTABI LI TY

  47. Program Enhancements • 2017 enhancements  Developed and publically posted an ERO Enterprise consolidated 2017 Periodic Data Submittal schedule  Developed internal, ERO Enterprise procedures to address roles, responsibilities, and processes  Developed ERO Enterprise templates  Conducted ERO Enterprise staff training • Ongoing enhancements  TFE submittals  Communication and transparency of processes  Maintain list of Frequently Asked Questions • 2017 Participant Survey • 2017 outreach (e.g., Fall industry webinar) 10 RELI ABI LI TY | ACCOUNTABI LI TY

  48. MRRE – Regional Breakdown* WECC 6% MRO 12% NPCC 1% RF 16% Texas RE 44% SERC 11% SPP RE 10% *As of Q1 2017. 11 RELI ABI LI TY | ACCOUNTABI LI TY

  49. MRRE – Distribution by Registered Function 180 166 Number of Entities Registered by 155 160 140 Registered Function 120 100 80 60 39 40 35 32 32 30 23 20 14 11 6 6 0 BA DP GO GOP PA RC RP RSG TO TOP TP TSP 12 *As of Q1 2017. RELI ABI LI TY | ACCOUNTABI LI TY

  50. Designated NERC/ Regional Entity MRRE Coordinated Oversight Contacts Team Members Contact Information • Scott Knewasser - FRCC • sknewasser@frcc.com • Sara Patrick - MRO • SE.Patrick@MidwestReliability.org • Stanley Kopman - NPCC • skopman@npcc.org • Megan Gambrel - RF • megan.gambrel@rfirst.org • Todd Curl - SERC • TCurl@serc1.org • Jim Williams – SPP RE • jwilliams.re@spp.org • Bill Lewis – Texas RE • William.Lewis@TEXASRE.org • Kim Israelsson - WECC • kisraelsson@wecc.biz • Barb Nutter - NERC • barbara.nutter@nerc.net For questions, please contact a designated NERC/Regional Entity MRRE contact for assistance 13 RELI ABI LI TY | ACCOUNTABI LI TY

  51. 14 RELI ABI LI TY | ACCOUNTABI LI TY

  52. I nherent Risk Assessments Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

  53. Risk-based CMEP 2 RELI ABI LI TY | ACCOUNTABI LI TY

  54. What is an I RA? • Inherent Risk Assessment (IRA) process end goal is entity- specific Compliance Oversight Plans (COPs)  Functions performed  Assets owned or operated  Location • 18 common Electric Reliability Organization (ERO) risk factors and criteria  Common criteria established, with regional flexibility provided • Other considerations  Entity performance data (e.g., misoperations, event analysis)  Compliance history  Knowledge of the entity (e.g., internal controls)  Risk Elements 3 RELI ABI LI TY | ACCOUNTABI LI TY

  55. Output of I RA • How considerations impact monitoring of inherent risk • Development of Compliance Oversight Plans (COPs)  Reliability Standards and requirements for compliance monitoring  Compliance monitoring tools (i.e., CMEP Tools)  Interval of compliance monitoring 4 RELI ABI LI TY | ACCOUNTABI LI TY

  56. Resources • Guide for Compliance Monitoring  http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO%20Enterprise%2 0Guide%20for%20Compliance%20Monitoring.pdf 5 RELI ABI LI TY | ACCOUNTABI LI TY

  57. 6 RELI ABI LI TY | ACCOUNTABI LI TY

  58. Compliance Guidance Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

  59. Overview • Compliance Guidance Policy • Types of Guidance • Pre-Qualified Organizations • Endorsement Process • Current Guidance • Website • Resources • Key Take-Aways 8 RELI ABI LI TY | ACCOUNTABI LI TY

  60. Compliance Guidance Policy Principles • Cannot change scope of Reliability Standard • May be developed concurrently with Reliability Standard • Should not conflict • Should be developed collaboratively • Not only way to comply • Additional Considerations:  Finite and limited set  Related guidance in one location  Consider revising standard  Apply professional judgment  Feedback loops 9 RELI ABI LI TY | ACCOUNTABI LI TY

  61. Types of Guidance Compliance Guidance Implementation CMEP Practice Guidance Guides 10 RELI ABI LI TY | ACCOUNTABI LI TY

  62. Types of Guidance Implementation Guidance • Developed by industry, for industry • Examples or approaches  One of several possible approaches • Developed by:  Standard Drafting Team (SDT) o Vetted by industry  Pre-Qualified Organization o Endorsed by ERO Enterprise, with deference 11 RELI ABI LI TY | ACCOUNTABI LI TY

  63. Types of Guidance • CMEP Practice Guides  Developed by ERO Enterprise , but may be initiated through a policy discussion with industry  Address how CMEP staff executes CMEP activities o Possible considerations include the discretion to be applied, auditing practices, risk assessment techniques, policies, and areas of focus o Not approaches to comply with standards  Uniform approaches that foster consistency across the ERO Enterprise  Publically posted for transparency  Apply professional judgment when evaluating methods or approaches not identified in guidance 12 RELI ABI LI TY | ACCOUNTABI LI TY

  64. Types of Guidance CMEP Practice Guides • Developed by ERO Enterprise , for ERO Enterprise  May be initiated through industry discussions  Publically posted • ERO Enterprise CMEP staff approach  Fosters consistency  Possible considerations include the discretion to be applied, auditing practices, risk assessment techniques, policies, and areas of focus 13 RELI ABI LI TY | ACCOUNTABI LI TY

  65. Pre-Qualified Organizations Approved by Compliance and Certification Committee (CCC) • The organization must:  Be actively involved in NERC operations  Have methods to assure technical rigor  Possess ability to vet content 14 RELI ABI LI TY | ACCOUNTABI LI TY

  66. Pre-Qualified Organizations Pre-Qualified Organization Application Process Applicant is Applicant CCC notifies added to Pre- CCC Reviews applies with the applicant Qualified Application Organization the CCC of approval List 15 RELI ABI LI TY | ACCOUNTABI LI TY

  67. Pre-Qualified Organizations • Standard Drafting Team (SDT)  Identifies examples  Reviews existing guidance • Examples vetted by industry • Decision to submit for ERO Enterprise endorsement made by:  Project Management and Oversight Subcommittee (PMOS) liaison and  NERC Standards Developer submit for ERO Enterprise endorsement • May not submit guidance after standard is approved  Must be submitted by Pre-Qualified Organization 16 RELI ABI LI TY | ACCOUNTABI LI TY

  68. Endorsement Process Endorsement of Implementation Guidance • Pre-Qualified Organization or SDT submit proposed guidance  Email to ComplianceGuidance@nerc.net  Include Implementation Guidance Submittal Form • NERC  Acknowledges receipt  Posts proposed guidance  Distributes to ERO SME • ERO endorses or declines to endorse • Publicly posted  Non-Endorsed noted in spreadsheet 17 RELI ABI LI TY | ACCOUNTABI LI TY

  69. Current Guidance • Implementation Guidance Under Development/Consideration  CEIWG - Voice Communications in a CIP Environment (VOIP in Control Centers)  CEIWG - Shared Facilities (CIP)  CEIWG - NRC Employee Access and CIP-004 Personnel Risk Assessment  NATF - TPL-001-5  NATF - CIP-010-2 Transient Cyber Assets  NATF - CIP-014-2, R4 and R5  NEI - PRC-024-2, R1, R2, and R3  WICF - CIP-010-5 R1 Part 1.1.4 - Netstat baseline for Ports and Services  WICF - MOD-025/MOD-026 - Manufacture curve/data is not available 18 RELI ABI LI TY | ACCOUNTABI LI TY

  70. Website 19 RELI ABI LI TY | ACCOUNTABI LI TY

  71. Website 20 RELI ABI LI TY | ACCOUNTABI LI TY

Recommend

More recommend