Welcome! NERC 2017 Standards and Compliance Workshop JW Marriott New Orleans. July 11-12, 2017

Transcription

1 Welcome! NERC 2017 Standards and Compliance Workshop JW Marriott New Orleans July 11-12, 2017

2 NERC Antitrust Compliance Guidelines It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers, or any other activity that unreasonably restrains competition. 2

3 Public Announcement Participants are reminded that this meeting is public. Notice of the meeting was posted on the NERC website and widely distributed. The notice included the number for dial-in participation. Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities. 3

4 General Announcements Safety Fire exits Calling 911 Alerting hotel staff CPR Other Logistics Q&A Restrooms 4

5 Today s Agenda 9:00 Noon: NERC Standards and Compliance 101 Mat Bunch Latrice Harkness Shamai Elstein Ryan Mauldin Noon 1:00 p.m.: Lunch 1:00 1:10 p.m.: Welcome and Introductions Laura Anderson Ryan Mauldin 1:10 1:20 p.m.: Keynote Remarks Howard Gugel Andrea Koch 5

6 Today s Agenda 1:20 1:30 p.m.: Interactive Demonstration Laura Anderson Ryan Stewart 1:30 2:00 p.m.: Cost Effectiveness Steven Noess Soo Jin Kim 2:00 2:15 p.m.: SBS Enhancements Chris Larson 2:15 3:15 p.m.: Break 3:15 3:45 p.m.: NERC Registration Initiatives Ryan Stewart 6

7 Today s Agenda 3:45 4:00 p.m.: Project Cyber Security Supply Chain Management Soo Jin Kim 4:00 4:45 p.m.: Compliance Monitoring Update (Coordinated Oversight of MRREs, IRAs, and Compliance Guidance) Kim Israelsson Kiel Lyons 4:45 5:00 p.m.: General Q&A/Closing Announcements Laura Anderson Latrice Harkness 5:30 6:30 p.m.: Reception 7

8 8

9 Keynote Remarks Howard Gugel, NERC Senior Director of Standards and Education Andrea Koch, NERC Senior Director of Reliability Assurance

10 Cost Effectiveness and Guidelines and Technical Basis Steven Noess, Director of Standards Development Soo Jin Kim, Manager of Standards Development 2017 Standards and Compliance Workshop July 11, 2017

11 History of Cost Effectiveness Northeast Power Coordinating Council, Inc. procedure NERC Cost Effective Analysis Process 2015 policy input Cost effectiveness method piloted in

12 Cost Effectiveness 2017 Board of Trustees made this a priority effort All projects will generally consider cost effectiveness at a high level All formal comments will provide industry a chance to comment on cost considerations Two questions to address What is level of cost versus reliability benefit? Can the most cost-effective solution be used? 3

13 Current Activities Periodic Reviews Standards grading metric Additional pilots of proposed method 4

14 Examples Examples of Project Questions Posed Supply Chain: The standard drafting team believes proposed CIP and the draft Implementation Guidance provide entities with flexibility to meet the reliability objectives in a cost-effective manner. Do you agree? If you do not agree, or if you agree, but have suggestions for improvement to enable additional cost-effective approaches, please provide your recommendation, and if appropriate, technical justification. VAR EPR: The team did not identify a concern related to cost effectiveness as drafted. Do you agree? If not, please provide additional detail. 5

15 Future Activities Comments solicited in periodic reviews Comments solicited in Standard comment periods Evaluate compliance and enforcement cost impacts Cost comment themes provided in Board of Trustees presentations 6

16 Guidelines and Technical Basis History Initially designed to support results-based standards First used in FAC Contained an information only disclaimer Incorporated into standard development template Disclaimer paragraph was omitted 7

17 Purpose Provides drafting teams a mechanism to: Explain the technical basis for Reliability Standard Provide technical guidance to help support effective application To further clarify Guidelines and Technical Basis (GTB): NERC staff and Standards Committee (SC) leadership to coordinate Captured in Task 3 in SC Strategic Plan 8

18 Summary of work NERC staff and SC leadership collaboration A separate document to explain technical basis Focus on understanding technology and the technical requirements No compliance approaches or compliance guidance Encourage use of NERC Compliance Guidance Policy 9

19 Timeline Present to SC for endorsement Report results at August Standards Oversight and Technology Committee meeting Begin implementing for all projects going forward Consider in periodic reviews whether to remove GTB from existing standards 10

20 Implementation Guidance Implementation Guidance provides examples of implementing the standard Developed by industry Can be developed by: Standard drafting teams; or Pre-qualified organization Supply Chain project was the first drafting team to seek endorsed Implementation Guidance 11

21 12

22 Standards Balloting and Commenting System (SBS) Enhancement Feature Overview and Training Chris Larson, Manager of Standards Information 2017 Standards and Compliance Workshop July 11, 2017

23 2017 Enhancement Features Ability for users to vote, delegate/revoke proxy rights, and join ballots/ballot pools from the Ballot Events page All references to the term Survey will be replaced with the term Comment Form Ability for users to proceed directly to the Real-time Comments page (formerly Social Survey ) without first having to provide a response Ability for users to select members from the Registered Ballot Body (RBB) when creating groups Users will no longer be prompted to confirm negative opinions for Non-binding Polls The system will save users selected sort and/or filter view on all pages instead of reverting back to a default view 2

24 Ballot Events Page The My Voting Activity page will be removed and the voting-related functions listed below will be carried out on the Ballot Events page Join/withdraw from ballot pools Delegate/revoke proxies Vote for ballots New icon/function buttons will be added to the page (screenshots below) A and D Join and withdraw from ballot pool B Vote C and E Delegate and revoke proxy rights 3

25 Change of the Term Survey to Comment Form Terms such as Surveys and Take Survey will be replaced with the terms Comment Form and Submit Comments for consistency between Standards communications/postings and the SBS 4

26 Real-time Comments Page The current term/page Social Survey has been renamed Realtime Comments. Today, users who try to access this page without first submitting comments receive the following error message: Voters, proxies, and contributors will have the ability to provide a thumbs-up (like), thumbs-down (dislike), to other submitters comments without having to provide a response themselves. 5

27 RBB Members and Creating Groups When submitting a comment, users will have the ability to select current RBB members when creating groups The ability to manually enter/edit group members will remain 6

28 Negative Opinions and Confirmations for Non-binding Polls For non-binding poll ballot types, voters and proxies will not be prompted to comment or declare support for a third-party comment if a negative opinion is cast 7

29 Sort and Filter Any filtered, and/or sorted results, will be retained when navigating between SBS pages Once a user logs out of the SBS, the filtered, and/or sorted selection, will revert to a default state 8

30 2017 Enhancement Features Recap All vote-related functions located on the Ballot Events page The term Survey replaced with the term Comment Form Proceed directly to the Real-time Comments page without submitting a comment Select members from the Registered Ballot Body (RBB) when creating groups No confirmation necessary for negative opinions for Nonbinding Polls Sort and/or filter view on all pages will be retained 9

31 Standards Information Links NERC s Balloting and Commenting page SBS Quick Reference Guide SBS Tutorial 2017 SBS Enhancement Presentation slides Administrative Support: ballotadmin@nerc.net NERC IT Support: Standard Processes Manual Appendix 3D RBB Criteria SBS Enhancements Webinar 10

32 11

33 Break Webinar participants: We will return at 3:15 p.m. Central

34 Entity Registration Update Ryan Stewart, NERC Manager of Registration Services 2017 Standards and Compliance Workshop July 11, 2017

35 Site Overview 2

36 Portal CFR Landing Page 3

37 CFR Landing Page 4

38 CFR Record Dropdown Options 5

39 Portal CFR Detailed View 6

40 Portal CFR Detailed View 7

41 Basic Information 8

42 Basic Information 9

43 View Matrix Snapshot 10

44 Entity Contacts 11

45 Choose Requirements 12

46 Set Responsibilities 13

47 Requirement Notes Modal 14

48 Upload Documents 15

49 Submit CFR 16

50 CRM CFR Landing Page 17

51 Regional CFR Summary View 18

52 CFR Matrix View 19

53 NERC CFR Detailed View 20

54 Reporting 21

55 Downloadable CFR Matrix 22

56 23

57 Cyber Security Supply Chain Risk Management Soo Jin Kim, NERC Manager of Standards Development 2017 Standards and Compliance Workshop July 11, 2017

58 FERC Order No. 829 [the Commission directs] that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. - Order No. 829, July 2016 Standard(s) must be filed by September 27,

59 Standards Development Process Oct 2016 Mar 2017 Tech Conference 1 st Formal Balloting May nd Formal Comment and Balloting July 2017 Final Ballots August 2017 NERC Board Adoption September 2017 Deadline for filing First formal comment period January 20 March 6, 2017 Second formal comment period May 2 June 15,

60 June Ballot Results Ballots Non-binding Polls Name Approval Supportive Opinions CIP % 88.53% CIP % 88.02% CIP % 89.57% 4

61 Final Ballot Standard drafting team (SDT) did not make substantive changes to requirements Clarifications CIP Requirement R1 Part Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity CIP Requirement R1 Part 1.6 Prior to a change that deviates from the existing baseline configuration verify software identity and integrity. Measure revised to include evidence of automated update process Updated CIP Guidelines and Technical Basis section 5

62 Comment Responses Common questions addressed by the SDT CIP Requirements to address software verifications and vendor remote access are not duplicative of CIP-010/CIP-005 Procurement versus Operational CIP Requirements for vendor remote access do not require session recording CIP Requirements for software verifications apply to baseline changes only (do not apply to new system installation) Software verifications do not need to be repeated for each BES Cyber System 6

63 Implementation Guidance Implementation Guidance developed by the SDT has been endorsed by the ERO Enterprise Provides examples of approaches for complying with CIP Risk-based approach to Cyber Security Supply Chain Risk Management plans (R1) Processes for planning to procure BES Cyber Systems that identify and assess cyber security risks from vendor products or services (R1 Part 1.1) Request-for-proposal or negotiation provisions to address topics in R1 Part Processes for periodically reviewing and approving plans (R3) 7

64 Next Steps Standards will be submitted for the August 10, 2017 NERC Board of Trustees meeting FERC Order No. 830 filing deadline is September 27, 2017 After filing, priority shifts to development of a comprehensive strategy for implementation (pending regulatory approval) 8

65 Contact Information Refer to the Project page for more information to join the list Corey Sellers, Southern Company, SDT Chair at JoAnn Murphy, PJM Interconnection, SDT Vice Chair at 9

66 10

67 Coordinated Oversight Program for Multi-Region Registered Entities Kim Israelsson, Manager, Compliance Program Coordination and Process Integration, WECC 2017 Standards and Compliance Workshop July 11, 2017

68 Agenda Program objective and benefits Inclusion criteria Participation requests 2016 participant survey feedback Program enhancements Current participation ERO Enterprise contacts 2

69 Objective Focus on risk to reliability, while improving: Efficiency o Single point of contact o Streamlining processes Consistency o Compliance Monitoring and Enforcement Program (CMEP) activities o Organization Registration and Certification Program (ORCP) activities o Reporting requirements and tools 3

70 Benefits of Coordinated Oversight for MRREs Lead Regional Entity (LRE) and Affected Regional Entities (ARE) coordinated to provide: Single point of contact for CMEP, ORCP, and other activities Centralized monitoring, enforcement, and reporting 4

71 Criteria for Inclusion in Coordinated Oversight Program Registered Entity Operates in or owns assets in two or more Regional Entity(ies) jurisdictions Verifies its Primary Compliance Contact (PCC), Authorizing Officer (AO), or Primary Compliance Officer (PCO) contact information is accurate prior to submitting request for inclusion Designates a PCC 5

72 Participation Request Process PCC, AO, or PCO submits initial request to designated NERC or Regional Entity MRRE coordinated oversight contacts Requests may include the following information: Registered Entity name(s) NERC Compliance Registry (NCR) Number(s) to be included Applicable Regional Entities Applicable registered functions PCC information for MRRE Description of registered entity(ies) compliance program Description of facilities 6

73 2016 Participant Survey Survey sent to 40 MRREs in Coordinated Oversight Program in June 2016 Responses received from all 40 MRREs Survey requested feedback on: Implementation and streamlining of activities LRE and ARE coordination Overall satisfaction General Comments 97% of MRREs support continued participation 84% of the MRREs believe it fulfills the objectives 7

74 Participant Survey Value Statements The MRRE program has been a welcome enhancement for our compliance efforts. Overall, it has been a very positive experience for our organization. The MRRE program has been extremely successful in streamlining processes and more effectively utilizing resources. Entity s assessment at this early stage is so far, so good. We have no suggestions for improvement at present. The program has been quite beneficial for us. 8

75 Participant Survey Improvement Opportunities Inherent Risk Assessments (IRA) Data systems and portals for data collection Technical Feasibility Exceptions (TFEs) submittals Periodic Data Submittals Communication Information about process and what to expect Guidance on changes to registered entity assets and potential impacts on program participation 9

76 Program Enhancements 2017 enhancements Developed and publically posted an ERO Enterprise consolidated 2017 Periodic Data Submittal schedule Developed internal, ERO Enterprise procedures to address roles, responsibilities, and processes Developed ERO Enterprise templates Conducted ERO Enterprise staff training Ongoing enhancements TFE submittals Communication and transparency of processes Maintain list of Frequently Asked Questions 2017 Participant Survey 2017 outreach (e.g., Fall industry webinar) 10

77 MRRE Regional Breakdown* WECC 6% MRO 12% NPCC 1% RF 16% Texas RE 44% SERC 11% SPP RE 10% *As of Q

78 MRRE Distribution by Registered Function Number of Entities Registered by Registered Function BA DP GO GOP PA RC RP RSG TO TOP TP TSP *As of Q

79 Designated NERC/Regional Entity MRRE Coordinated Oversight Contacts Team Members Scott Knewasser - FRCC Sara Patrick - MRO Stanley Kopman - NPCC Megan Gambrel - RF Todd Curl - SERC Jim Williams SPP RE Bill Lewis Texas RE Kim Israelsson - WECC Barb Nutter - NERC Contact Information sknewasser@frcc.com SE.Patrick@MidwestReliability.org skopman@npcc.org megan.gambrel@rfirst.org TCurl@serc1.org jwilliams.re@spp.org William.Lewis@TEXASRE.org kisraelsson@wecc.biz barbara.nutter@nerc.net For questions, please contact a designated NERC/Regional Entity MRRE contact for assistance 13

80 14

81 Inherent Risk Assessments Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

82 Risk-based CMEP 2

83 What is an IRA? Inherent Risk Assessment (IRA) process end goal is entityspecific Compliance Oversight Plans (COPs) Functions performed Assets owned or operated Location 18 common Electric Reliability Organization (ERO) risk factors and criteria Common criteria established, with regional flexibility provided Other considerations Entity performance data (e.g., misoperations, event analysis) Compliance history Knowledge of the entity (e.g., internal controls) Risk Elements 3

84 Output of IRA How considerations impact monitoring of inherent risk Development of Compliance Oversight Plans (COPs) Reliability Standards and requirements for compliance monitoring Compliance monitoring tools (i.e., CMEP Tools) Interval of compliance monitoring 4

85 Resources Guide for Compliance Monitoring 0Guide%20for%20Compliance%20Monitoring.pdf 5

86 6

87 Compliance Guidance Kiel Lyons, Manager, Grid Planning and Operations Assurance 2017 Standards and Compliance Workshop July 11, 2017

88 Overview Compliance Guidance Policy Types of Guidance Pre-Qualified Organizations Endorsement Process Current Guidance Website Resources Key Take-Aways 8

89 Compliance Guidance Policy Principles Cannot change scope of Reliability Standard May be developed concurrently with Reliability Standard Should not conflict Should be developed collaboratively Not only way to comply Additional Considerations: Finite and limited set Related guidance in one location Consider revising standard Apply professional judgment Feedback loops 9

90 Types of Guidance Compliance Guidance Implementation Guidance CMEP Practice Guides 10

91 Types of Guidance Implementation Guidance Developed by industry, for industry Examples or approaches One of several possible approaches Developed by: Standard Drafting Team (SDT) o Vetted by industry Pre-Qualified Organization o Endorsed by ERO Enterprise, with deference 11

92 Types of Guidance CMEP Practice Guides Developed by ERO Enterprise, but may be initiated through a policy discussion with industry Address how CMEP staff executes CMEP activities o Possible considerations include the discretion to be applied, auditing practices, risk assessment techniques, policies, and areas of focus o Not approaches to comply with standards Uniform approaches that foster consistency across the ERO Enterprise Publically posted for transparency Apply professional judgment when evaluating methods or approaches not identified in guidance 12

93 Types of Guidance CMEP Practice Guides Developed by ERO Enterprise, for ERO Enterprise May be initiated through industry discussions Publically posted ERO Enterprise CMEP staff approach Fosters consistency Possible considerations include the discretion to be applied, auditing practices, risk assessment techniques, policies, and areas of focus 13

94 Pre-Qualified Organizations Approved by Compliance and Certification Committee (CCC) The organization must: Be actively involved in NERC operations Have methods to assure technical rigor Possess ability to vet content 14

95 Pre-Qualified Organizations Pre-Qualified Organization Application Process Applicant applies with the CCC CCC Reviews Application CCC notifies the applicant of approval Applicant is added to Pre- Qualified Organization List 15

96 Pre-Qualified Organizations Standard Drafting Team (SDT) Identifies examples Reviews existing guidance Examples vetted by industry Decision to submit for ERO Enterprise endorsement made by: Project Management and Oversight Subcommittee (PMOS) liaison and NERC Standards Developer submit for ERO Enterprise endorsement May not submit guidance after standard is approved Must be submitted by Pre-Qualified Organization 16

97 Endorsement Process Endorsement of Implementation Guidance Pre-Qualified Organization or SDT submit proposed guidance to Include Implementation Guidance Submittal Form NERC Acknowledges receipt Posts proposed guidance Distributes to ERO SME ERO endorses or declines to endorse Publicly posted Non-Endorsed noted in spreadsheet 17

98 Current Guidance Implementation Guidance Under Development/Consideration CEIWG - Voice Communications in a CIP Environment (VOIP in Control Centers) CEIWG - Shared Facilities (CIP) CEIWG - NRC Employee Access and CIP-004 Personnel Risk Assessment NATF - TPL NATF - CIP Transient Cyber Assets NATF - CIP-014-2, R4 and R5 NEI - PRC-024-2, R1, R2, and R3 WICF - CIP R1 Part Netstat baseline for Ports and Services WICF - MOD-025/MOD Manufacture curve/data is not available 18

99 Website 19

100 Website 20

101 Website 21

102 Website 22

103 Resources Compliance Guidance web page Compliance Guidance Policy L_Board_Accepted_Nov_5_2015.pdf How to Submit Proposed Guidance 23

104 Resources Pre-Qualified Organization list Procedure to Become a Pre-qualified Organization 011_May_BOTCC_updated.pdf Pre-Qualified Organization Application Qualified_Organization.pdf 24

105 Key Takeaways Implementation Guidance is one approach an entity may take to meet its obligations Are developed and vetted by industry Are endorsed/not endorsed by the ERO Enterprise CMEP Practices Guides Developed by, and for the ERO Enterprise Industry Webinar held May 31, Lessons Learned Reference Sheet under development Industry will be notified when available 25

106 26

107 1