2015 Fall Workshop. Download Materials and Submit SPP.org ->Regional Entity ->2015 Fall Workshop:

Transcription

1 2015 Fall Workshop Download Materials and Submit SPP.org ->Regional Entity ->2015 Fall Workshop: Online question box submits generates to staff from anonymous@reworkshop.spp.org You can also questions/comments to reworkshop@spp.org If you want a Professional Development Hours letter, sscott.re@spp.org

2 Tuesday, September 29 7:30-8:00 Registration and light breakfast 8:00-8:30 Welcome John Meyer, SPP RE Trustees Chair 8:30-9: CIP Update and Q&A Steven Keller & Shon Austin, SPP RE 9:25-9:40 Break 9:40-10: Revised Standards in Training (PER-005-2) & Mike Hughes, Jim Williams, Protection Systems (PRC-004-3/4, PRC-005-3(i), Thomas Teafatiller, SPP RE PRC-019-1/2, PRC-024-2) 10:45-11:00 Break 11:00-12: Compliance Program Jim Williams & Jeremy Withers, SPP RE 12:00-1:00 Lunch 1:00-4:40 Break-Out Sessions (see next page) 4:50-5:00 Q&A / Closing Wednesday, September 30 7:30-8:00 Registration and light breakfast 8:00-8:10 Welcome 8:10-9: Registered Entity Panel on Jim Nail, City of Independence Effective Internal Controls Tiffany Lake, Westar Terri Pyle, OG&E 9:20-9:35 Break 9:35-10: Mitigation Expectations Simran Ahuja, NERC 10:35-10:45 Break 10:45-11: General Manager s Update Ron Ciesiel, SPP RE 11:15-11: th Anniversary of 1965 Blackout Dave Christiano, SPP RE Trustee 11:45-12:00 Closing/Surveys Gerry Burrows, SPP RE Trustee 12:00-1:00 Lunch The workshop is followed by the RTO Compliance Forum for members and Registered Entities, which requires separate registration.

3 September 29 Break-Out Sessions Seating is first come, first serve. Bring your questions and discussion points! We will leave the phones on in the ballroom for the CIP break-out sessions, but the other sessions will not be available via phone or webex. 1:00-2:00 Ballroom (no limit) Lashio (seats 40) Martaban (seats 60) CIP V5 Evidence and Expectations Facilitated by Sushil Subedi and Steven Keller Compliance 101 (for those new to NERC compliance) Facilitated by Mike Hughes and Thomas Teafatiller Quality Evidence for FAC-008 and PRC-005 Facilitated by Jeff Rooker and Jim Williams 2:10-3:10 Ballroom (no limit) Lashio (seats 40) Martaban (seats 60) Low Impact BES Cyber Systems Facilitated by Shon Austin, Sushil Subedi, Robert Vaughn Disposition Methods for Non-Compliance Issues Facilitated by Joe Gertsch, Jeremy Withers, and Jeff Rooker Inherent Risk Assessment (IRA)/Internal Control Evaluation (ICE) Facilitated by Steven Keller, Robert Vaughn, and Jim Williams 3:10-3:40 Snack and Coffee Break 3:40-4:40 Ballroom (no limit) Lashio (seats 40) CIP Open Q&A Facilitated by CIP Team Compliance for Small Entities in Multiple Regions Facilitated by Bill Bateman, Senior Project Manager at GDS Associates and PCC for several Registered Entities - with Jim Williams, Joe Gertsch, and Thomas Teafatiller Martaban (seats 60) 4:50 Return to ballroom for closing New TOP Standards Facilitated by Greg Sorenson and Jeff Rooker

4 CIP Updates September 29, 2015 Steven Keller and Shon Austin SPP RE Staff

5 Overview 2016 Outreach Site visits for substations Audit approach V5 Lessons Learned and FAQs Open Issues 2

6 2016 Outreach V5 outreach Jan. Mar Preparation for CIP V5 effective date of 4/1/16 Outreach will shift to Low Impact after 4/1/16 Free to Registered Entities No cost for us to talk No limits on topics Agenda is driven by Registered Entity Invite anyone you wish It can be a closed or open to other Registered Entities Onsite visit or webex/teleconference 3

7 Audit Visits for Substations Visit off-site Must show sufficient evidence of compliance Photos Diagrams Documentation Goal of reducing travel time Substations with only low-impacting BES Cyber Systems We will give Registered Entity a list of substations 4

8 Audit Approach Moving away from two weeks onsite Aiming for one week onsite with Registered Entity Two week pre-audit work More interaction during off-site audit review Daily calls with Registered Entity Eliminate Requirements during pre-audit Still will need to do site visits Audit success depends on quality evidence 5

9 CIP Version 5 Guidance July 1 meeting On July 1, 2015, NERC hosted a small, executive-focused face-to-face meeting to discuss the issues in the CIP Version 5 Memoranda Led to the posting of industry vetted Lessons Learned and FAQ via Section 11 of the NERC Standard Processes Manual (SPM). 6

10 Lessons Learned and FAQs (as of 9/24/15) Transition Update Type Topic Deadline for comments 1/8 Key Postings Programmable Electronic Device Lesson Learned 2/6 Interactive Remote Access Lesson Learned EACMS Mixed Trust Authentication Lesson Learned 1/28/15 Key Postings FAQ Industry Comments N/A 3/2 Key Postings Grouping of BES Cyber Systems (Revised) Lesson Learned Functional Obligations and Control Centers Lesson Learned 3/13 RSAWs Posted project page. 4/14 4/1 Draft FAQs Posted for Industry Frequently Asked Questions (FAQs) Posted for Comment 5/15 Comment 4/22 Transition Update Follow-Up to Implementation Study Report None listed Impact Rating Criteria 2.3 and 2.6 Impact Rating for Generation Connection Facilities Network and Externally Accessible Devices Programmable Electronic Device Control Centers and Functional Obligations 5/1 Draft FAQs Posted for Industry CIP V5 Frequently Asked Questions 6/15 Comment 7/6 Key Postings July 1 Meeting Coordination and Way Forward N/A 7/20 Key Postings Re-post EACMS Mixed Trust Authentication Lesson Learned 8/21 Re-post Interactive Remote Access Lesson Learned Frequently Asked Questions CIP Version 5 Standards 8/19 Key Postings Communications and Networking Cyber Assets IRC 2.3 and 2.6 Compliance Dates Generation Interconnection Lesson Learned 9/10 Key Postings BES Cyber Assets Lesson Learned External Routable Connectivity Lesson Learned 3/30 None listed None listed 7

11 Open Issues XML Listener Scripting and baselines Patch assessments Patch implementation Conducting PRAs for Contractors Alerts for Security Events 8

12 Issues and Concerns V5 XML Listener - Means of systematically communicating operating generation dispatch instructions from BA to GO (for Setpoints and Startup/Shutdown notifications) Solution - Place applicable asset within its own Demilitarized Zone (DMZ) - Enable the required ports - Allow the IP addresses required by BA 9

13 Issues and Concerns V5 Scripting and Baselines A. Scripts that are stored on the BES Cyber Asset (BCA) and have been developed and/or customized locally? B. Scripts that are not stored on a BCA, but have been developed and/or customized locally? C. Scripts that were delivered with a third-party application, can be locally customized, but have not been? D. Scripts that were delivered with a third-party application, but cannot be locally customized? Solution A Baseline B No Baseline Required C No Baseline Required D No Baseline Required 10

14 Issues and Concerns V5 Patch Assessments - What is the maximum number days the CIP requirement allows to assess a security patch? Solution - 35 days to complete the assessment after the patch is released by the Registered Entity s designated source 11

15 Issues and Concerns V5 Patch Implementation - What is the maximum number days the CIP requirement allows to implement an applicable security patch? Solution - 35 days after the patch has been assessed and found applicable 12

16 Issues and Concerns V5 Patch Implementation - What if I can t implement the patch within 35 days of assessment? Solution - Develop a new mitigation plan, or - Update an existing mitigation plan and get CIP Senior Manager or delegate approval - You may need a Technical Feasibility Exception 13

17 Issues and Concerns V5 Conducting Personnel Risk Assessment (PRA) for Contractors - Can I let the contracting company perform the PRA on their personnel? Solution - Yes, subject to the following expectations: - Must review and approve contractor s PRA program - Confirm the contractor s evaluation criteria aligns with the Registered Entity s - Confirm the contractor followed its program 14

18 Issues and Concerns V5 Alerts for Security Events/Unauthorized Access - If I get alerts sent to my smart phone for security events and/or unauthorized access attempts, does my phone have to be CIP protected? Solution - No, the phone does not meet the definition of an EACMS (Electronic Access Control or Monitoring System) or PACS (Physical Access Control System) 15

19 Summary Contact SPP RE for outreach assistance ASAP Don t be shy about asking SPP RE questions there are no audit implications! Cut down on-site audit time by submitting quality evidence See breakout session slides on CIP V5 Evidence and Expectations Follow NERC s transition guidance Pay close attention to requirements applicability statements 16

20 SPP RE CIP Team Kevin Perry, Director of Critical Infrastructure Protection (501) Shon Austin, Lead Compliance Specialist-CIP (501) Steven Keller, Lead Compliance Specialist-CIP (501) Jeremy Withers, Senior Compliance Specialist-CIP (501) Sushil Subedi, Compliance Specialist II-CIP (501) Robert Vaughn, Compliance Specialist II-CIP (501)

21 Revised Standards September 29, 2015 Fall Workshop SPP RE Staff: Jim Williams Thomas Teafatiller Mike Hughes

22 Use of Presentation This presentation covers highlights from multiple NERC Reliability Standards For simplicity, some wording from the standard has been shortened, paraphrased, or omitted Due to space and time constraints, some topics, special cases, and notes have not been addressed It is important to read each standard in its entirety and independently verify the accuracy of the information contained in this presentation prior to reliance upon that information for NERC compliance 2

23 Overview TRAINING PER Operations Training Effective 7/1/16 PROTECTION PRC-004-3/4 Misoperations Effective 7/1/16 PRC-005-3(i)/4 Protection Systems Effective 4/1/16 & 10/1/16 PRC-019-1/2 Voltage Regulating Controls Effective 7/1/16 PRC-024-1/2 Frequency/Voltage Relays Effective 7/1/16 3

24 PER Operations Personnel Training (Effective 7/1/16) 4

25 PER Enforcement Date: July 1, 2016 Applicability Functional Entities: Reliability Coordinator Balancing Authority Transmission Operator Transmission Owner Generator Operator 5

26 PER-005 Applicability Added Functional Entities: Transmission Owner that has: Personnel, excluding field switching personnel, who can act independently to operate or direct the operation of the Transmission Owner s Bulk Electric System transmission Facilities in Real-time. Generator Operator that has: Dispatch personnel at a centrally located dispatch center who receive direction from the Generator Operator s Reliability Coordinator, Balancing Authority, Transmission Operator, or Transmission Owner, and may develop specific dispatch instructions for plant operators under their control. These personnel do not include plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications. 6

27 PER-005 version 1 to version 2 PER R1 shall use a systematic approach to establish a training program.. PER R1 shall use a systematic approach to develop and implement a training program 7

28 PER-005 version 1 to version 2 PER R1.1 shall create a list of BES company-specific reliability-related tasks performed by its System Operator. R1.1.1 each calendar year identify new or modified tasks for inclusion in training. PER R1.1 shall create a list of Bulk Electric System (BES) company-specific Real-time reliability-related tasks based on a defined and documented methodology. R1.1.1 shall review and update its list if necessary 8

29 PER-005 version 1 to version 2 PER R1.2 shall design and develop learning objectives and training materials R1.3...shall deliver its training established in R1.2. R1.4 shall conduct an annual evaluation of the training program PER R1.2 shall design and develop training materials according to its training program R1.3 -.shall deliver its training according to the training program. R1.4 shall conduct an evaluation each calendar year of the training program 9

30 PER-005 Version 1 to Version 2 PER R2 shall verify each System Operators capabilities to perform each assigned task at least one time. (RC, BA and TOP) R2.1 shall verify capabilities to perform new or modified tasks.; PER R3 shall verify, at least once, the capabilities of its personnel. (RC, BA, TOP and TO) 10

31 PER-005 Version 1 to Version 2 PER R3 At least every 12 months each RC, BA and TOP shall provide 32 hours of EOPs training. R3.1 Each RC, BA and TOP that has operational authority or control over Facilities with established IROLs or has established operating guides or protection systems to mitigate IROL violations shall provide each System Operator with emergency operations training using simulation technology PER R4 Each RC, BA, TOP and TO that has operational authority or control over Facilities with established IROLs or has established protection systems or operating guides to mitigate IROL violations shall provide each personnel with emergency operations training using simulation technology 11

32 PER-005 Version 1 to Version 2 PER R5 Each RC, BA, TOP shall use a systematic approach to develop and implement training for its identified Operations Support Personnel on how their job function(s) impact those BES companyspecific Real-time reliability-related tasks. R5.1 shall conduct an evaluation each calendar year of the training established in Requirement R5 to identify and implement changes to the training. R6 Each Generator Operator shall use a systematic approach to develop and implement training to its personnel identified in Applicability Section of this standard, on how their job function(s) impact the reliable operations of the BES during normal and emergency operations. 12

33 PER Evidence R1 - Evidence of using a systematic approach to develop and implement a training program for its System Operators R1.1 - The methodology and its BES company specific Real-time reliability-related task list, with the date of the last review R1.2 - Training materials R1.3 - System Operator training records showing the names of the people trained, the title of the training delivered, and the dates of delivery to show that it delivered the training R1.4 - Evidence (such as instructor observations, trainee feedback, supervisor feedback, course evaluations, learning assessments, or internal audit results) that it performed an evaluation of its training program 13

34 PER Evidence Each TO: R2 - Evidence of using a systematic approach to develop and implement a training program R2.1 - Methodology and its BES company-specific Real-time reliability-related task list, with the date of the last review R2.2 - Training materials R2.3 - Training records R2.4 - Evidence (such as instructor observations, trainee feedback, supervisor feedback, course evaluations, learning assessments, or internal audit results) that it performed an evaluation of its training program 14

35 PER Evidence R3 - Evidence to show that it verified the capabilities of each of its personnel assigned to perform each of the BES company-specific Realtime reliability-related tasks. May be documents such as records showing capability to employee name and date; supervisor check sheets showing the employee name, date, and BES company-specific real-time reliability-related task completed; or the results of learning assessments. R4 - Training records that provide evidence that personnel identified in R1 or R2 completed training that includes the use of simulation technology R5 - Operations Support Personnel completed training in accordance with its systematic approach R6 - GOPs applicable personnel completed training in accordance with its systematic approach. 15

36 Dispersed Generation Resources The four standards that follow have each been updated to address treatment of dispersed power generation The NERC web page for Project Standards Applicability for Dispersed Generation Resources, and the associated white paper may be found here 16

37 PRC Protection System Misoperation Identification and Correction (Effective 7/1/16) Link- PRC

38 Overview of Changes for PRC-004 Version 3 and Version 4 were both approved with the same effective date V4 will supersede V3 V4 just changed one applicability statement New standard is a complete rewrite New Standard put time limits on everything Previous standard didn t spell out analysis of operations 18

39 PRC Applicability Applicability-Add Underfrequency load shedding BES elements Applicability-Exclude Non-protective functions within Protection System Protective functions intended to operate as a control function during switching Special Protection Systems (SPS) Remedial Action Schemes (RAS) 19

40 PRC R1 R1 If you own a BES interrupting device, and it operates- within 120 days you shall identify whether its Protection System component(s) caused a Misoperation Evidence may include: Reports, s Analyses of sequence of events Relay targets, test results Disturbance Monitoring Equipment (DME) records 20

41 PRC R2 R2 If you own a BES interrupting device that operates - within 120 days notification should be made to the other owners, if the Composite Protection System ownership is shared Evidence may include: s Faxes Transmittals 21

42 PRC Cont. R3 If you receive a notice pursuant to R2, you should identify whether your Protection System component caused a Misoperation. This should happen within the later of 60 calendar days of notification or 120 calendar days of the operation. Evidence may include: Reports, s Analyses of sequence of events Relay targets, test results Disturbance Monitoring Equipment (DME) records 22

43 PRC Cont. R4 If you identify a Misoperation occurred in R1 or R3 and haven t identified a cause, investigative actions must be performed at least once every two calendar quarters until: (1) Cause is found, or (2) Declare that no cause was identified Evidence may include: Reports, s Analyses of sequence of events Relay targets, test results Disturbance Monitoring Equipment (DME) records 23

44 PRC Cont. R5 If your Protection System component causes a Misoperation, within 60 calendar days from identifying the cause: (1) Corrective Action Plan (CAP) must be developed and you must evaluate the plan s applicability to other locations or (2) Declare why corrective actions are beyond your control or would not improve BES reliability Evidence may include: Corrective Action Plan and evaluation Declaration 24

45 PRC Cont. R6 Implement each CAP developed in R5, and update each CAP if actions or timetables change, until completed Evidence may include: Records that CAP was implemented Revision history of CAPs with changes 25

46 PRC Protection System Misoperation Identification and Correction (Effective 7/1/16) PRC

47 PRC Dispersed Power Generation Applicability - Exclude: Protection Systems of individual dispersed power producing resources identified under Inclusion I4 of the BES definition where the Misoperations affected an aggregate nameplate rating of less than or equal to 75 MVA of BES Facilities. 27

48 PRC-005-3(i)/4 Protection System and Automatic Reclosing Maintenance (Effective 4/1/16 & 10/1/16) 28

49 Overview of Changes for PRC-005 PRC-005-3(i) adds Automatic Reclosing Maintenance PRC adds Sudden Pressure Relay Maintenance PRC-005 is not applicable to dispersed generation resources below an aggregate of 75 MVA (same position as the dispersed generation resource white paper) The implementation plan established under PRC remains unchanged except for the addition of Automatic Reclosing and Sudden Pressure Relays 29

50 PRC-005-3(i) Applicability to Dispersed Generation Resources Protection Systems for Facilities used in aggregating dispersed BES generation from the point where those resources aggregate to greater than 75 MVA to a common point of connection at 100kV or above. 30

51 PRC Applicability to Automatic Reclosing Automatic Reclosing applied on the terminals of Elements connected to the BES bus located at generating plant substations where the total installed gross generating plant capacity is greater than the gross capacity of the largest BES generating unit within the Balancing Authority Area or, if a member of a Reserve Sharing Group, the largest generating unit within the Reserve Sharing Group. (see footnote 1 for exclusions) For SPP BA, largest BES generating unit is ~1,200 MW For other BAs (MISO; SWPA), applicability is based on the largest generating unit in that BA 31

52 PRC Applicability to Automatic Reclosing, continued Automatic Reclosing applied on the terminals of all BES Elements at substations one bus away from generating plants specified in Section when the substation is less than 10 circuit-miles from the generating plant substation Automatic Reclosing applied as an integral part of a RAS* specified in Section * RAS or Remedial Action Scheme formerly Special Protection Scheme (SPS). See NERC Glossary of Terms for definition of RAS. 32

53 PRC Applicability to Sudden Pressure Relaying Protection Systems and Sudden Pressure Relaying that are installed for the purpose of detecting Faults on BES Elements (lines, buses, transformers, etc.) 33

54 PRC-005 Evidence Evidence of maintenance within time based intervals may include but is not limited to dated: Maintenance records Maintenance summaries Check-off lists Inspection records Work orders 34

55 PRC-005-3(i) Implementation Plan for Automatic Reclosing Maximum Maintenance Interval % Compliant By 6 calendar years 30% April 1, 2018 (36 months following regulatory approval)* 6 calendar years 60% April 1, 2020 (60 months following regulatory approval) 6 calendar years 100% April 1, 2022 (84 months following regulatory approval) 12 calendar years 30% April 1, 2020 (60 months following regulatory approval) 12 calendar years 60% April 1, 2024 (108 months following regulatory approval) 12 calendar years 100% April 1, 2028 (156 months following regulatory approval) * Or, for generating plants with scheduled outage intervals exceeding three years, at the conclusion of the first succeeding maintenance outage. 35

56 PRC Implementation Plan for Sudden Pressure Relays Maximum Maintenance Interval % Compliant By 6 calendar years 30% October 1, 2018 (36 months following regulatory approval)* 6 calendar years 60% October 1, 2020 (60 months following regulatory approval) 6 calendar years 100% October 1, 2022 (84 months following regulatory approval) 12 calendar years 30% October 1, 2020 (60 months following regulatory approval) 12 calendar years 60% October 1, 2024 (108 months following regulatory approval) 12 calendar years 100% October 1, 2028 (156 months following regulatory approval) * Or, for generating plants with scheduled outage intervals exceeding three years, at the conclusion of the first succeeding maintenance outage. 36

57 PRC-005 Links PRC-005-3(i) PRC-005-3(i) Implementation Plan NERC Standards Subject to Future Enforcement* PRC Implementation Plan Project * NERC Project Standards Applicability for Dispersed Generation Resources * Check these NERC web pages for posting of PRC

58 NERC Project Generator Verification The two standards that follow, PRC-019 and PRC-024, are new standards created under NERC Project to ensure that generators will not trip off-line during specified voltage and frequency excursions or as a result of improper coordination between generator protective relays and generator voltage regulator controls and limit functions 38

59 PRC-019-1/2 Coordination of Generating Unit, Voltage Regulating Controls, and Protection (Effective 7/1/16) 39

60 PRC-019-1/2 Background PRC was created under NERC Project Generator Verification The purpose is to verify coordination of generator (or plant) voltage regulator controls and limit functions PRC is a minor change to address distributed generation resources PRC becomes effective 7/1/2016 Skip PRC (use PRC-019-2) 40

61 PRC Applicability Individual generating unit greater than 20 MVA (gross nameplate rating) directly connected to the Bulk Electric System Individual synchronous condenser greater than 20 MVA (gross nameplate rating) directly connected to the Bulk Electric System Generating plant/ Facility consisting of one or more units that are connected to the Bulk Electric System at a common bus with total generation greater than 75 MVA (gross aggregate nameplate rating). 41

62 PRC Applicability This includes individual generating units of the dispersed power producing resources identified through Inclusion I4 of the Bulk Electric System definition where voltage regulating control for the facility is performed solely at the individual generating unit of the dispersed power producing resources. [The Standards Drafting Team (SDT) clarified - facilities that solely regulate voltage at the individual generating unit are subject to the requirements.] 42

63 PRC R1, R2 At a maximum of every five calendar years (R1), and within 90 days following changes that will affect the coordination (R2), coordinate the voltage regulating system controls Verify in-service limiters are set to operate before the Protection System to avoid disconnecting the generator unnecessarily Verify Protection System devices are set to isolate equipment when operating conditions exceed equipment capability or stability limits 43

64 PRC Evidence M1. evidence (such as examples provided in PRC-019 Section G) that it coordinated the voltage regulating system controls, including in-service limiters and protection functions, with the applicable equipment capabilities and settings of the applicable Protection System devices and functions as specified in Requirement R1. This evidence should include dated documentation that demonstrates the coordination was performed. (See standard for M2) 44

65 PRC P-Q Diagram 45

66 PRC-019 Links PRC PRC PRC Implementation Plan PRC Implementation Plan 46

67 PRC-024-1/2 Generator Frequency and Voltage Protection Relay Settings (Effective 7/1/16) 47

68 PRC-024-1/2 Background Applicable to Generator Owner PRC was created under NERC Project Generator Verification The purpose is to ensure that generators remain connected during defined frequency and voltage excursions PRC is a minor change to address distributed generation resources PRC becomes effective 7/1/2016 Skip PRC (use PRC-024-2) 48

69 PRC R1 Set overfrequency (ANSI 81O)* and underfrequency (ANSI 81U) trip relays such that the relaying does not trip the generator within the no trip zone of PRC-024 Attachment 1, subject to the following exceptions: Impending or loss of synchronism (out-of-step) Necessitated to clear a system fault Equipment limitations (within the no trip zone ) documented and communicated in accordance with R3 * We have included these American National Standards Institute (ANSI) relay numbers for your information 49

70 PRC R2 Set overvoltage (ANSI 59) and undervoltage (ANSI 27) trip relays such that the relaying does not trip the generator within the no trip zone of PRC-024 Attachment 2, subject to the following exceptions: Impending or loss of synchronism (out-of-step) Necessitated to clear a system fault Equipment limitations (within the no trip zone ) documented and communicated in accordance with R3 In accordance with a Special Protection System (SPS) or Remedial Action Scheme (RAS) 50

71 PRC R3, R4 R3: Document and communicate limitations to the Planning Coordinator (PC) and Transmission Planner (TP) within 30 days following any change in limitations (including removal of previous limitations) R4: Provide trip settings to the PC or TP within 60 days upon request (and within 60 days of any change if previously submitted to PC or TP) 51

72 PRC Generator Frequency Protective Relaying Footnote #2 [R1]: For frequency protective relays associated with dispersed power producing resources identified through Inclusion I4 of the BES definition, this requirement applies to frequency protective relays: Applied on the individual generating unit of the dispersed power resources Applied on equipment from the individual generating unit of the dispersed power producing resource up to the point of interconnection. 52

73 PRC Generator Voltage Protective Relaying Footnote #4 [R2]: For voltage protective relays associated with dispersed power producing resources identified through Inclusion I4 of the BES definition, this requirement applies to voltage protective relays: Applied on the individual generating unit of the dispersed power resources Applied on equipment from the individual generating unit of the dispersed power producing resource up to the point of interconnection 53

74 PRC Rationale for Footnotes 2 and 4 The point of the Standard is to keep generating units on-line and running during frequency or voltage excursions. Individual generators and aggregating equipment must be set to respect the no-trip zone referenced in the requirements. 54

75 PRC Evidence M1. Each GO shall have evidence that generator frequency protective relays have been set in accordance with R1 such as: Setting and calibration sheets M2. Each GO shall have evidence that generator voltage protective relays have been set in accordance with R2 such as: Setting and calibration sheets Voltage-time curves Coordination plots Dynamic simulation studies or other documentation. (See standard for M3 and M4) 55

76 PRC Links PRC PRC Implementation Plan 56

77 FOR REFERENCE Webinar presented on other new standards 57

78 Upcoming Standards August 6, 2015 SPP RE Webinar Greg Sorenson, Steven Keller SPP RE Staff

79 Overview CIP (effective 10/1/15) COM (effective 10/1/15) PRC (effective 10/1/15) FAC (effective 1/1/16) FAC (effective 1/1/16) MOD (effective 7/1/16) 59

80 CIP FERC directed NERC to develop a physical security standard on March 7, 2014 The order requires a standard: to identify facilities on the Bulk-Power System that are critical to the reliable operation of the Bulk-Power System. Then, owners or operators of those identified critical facilities should develop, validate and implement plans to protect against physical attacks that may compromise the operability or recovery of such facilities. 90 days to submit standard to FERC 60

81 CIP Applicability: Transmission Operators Applicability: Transmission Owners that own: 500 kv or higher Transmission Facilities 200 kv to 499 kv Transmission Facilities that meet the weighting table s 3000 point threshold Transmission Facilities identified by the Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements 61

82 CIP First three requirements deal with: Risk assessment to identify in-scope assets Review of the risk assessment by an unaffiliated thirdparty reviewer Sharing of information with affected entities Three subsequent requirements deal specifically with physical security issues: Evaluate potential threats and vulnerabilities Develop and implement a documented physical security plan Unaffiliated third-party review of the evaluation and corresponding security plan 62

83 CIP R1 must be complete by 10/01/15 R2 shall be completed as follows: Parts 2.1, 2.2, and 2.4 shall be completed by 12/30/15 Part 2.3 shall be completed within 60 calendar days of the completion of performance under R2 part 2.2 R3 shall be completed within 7 calendar days of completion of performance under R2 R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2 R6 shall be completed as follows: Parts 6.1, 6.2, and 6.4 shall be completed within 90 calendar days of completion of performance under R5 Part 6.3 shall be completed within 60 calendar days of R6 part

84 CIP Suggested Evidence R1 List of all BES stations/substations List of Transmission stations/substations planned in the next 24 months. List of Transmission stations/substations that meet criteria specified in Section Current and Prior R1 risk assessments R2 Dated evidence of third-party verification of entity s risk assessment performed under R1 64

85 CIP Suggested Evidence R2 Dated documentation of third-party verification and recommendations for addition or deletion, if any, including recommendations from third-party verifier or explicit statement from the third-party verifier that the verification was completed with no recommendations R3 If applicable, dated communications with TOP identified control centers as in scope for R4-R6 65

86 CIP Suggested Evidence R4 List of all stations, substation, and control centers identified in R1-R3 A description of the entity s process for executing the evaluation prescribed in Requirement R4 Dated threat and vulnerability assessment containing all components specified in Requirement R4. Threat and vulnerability assessments may be separate documents provided they are used together to determine vulnerabilities 66

87 CIP Suggested Evidence R5 List of all stations, substation, and control centers identified in R1-R3 Dated physical security plan(s) addressing all components of R5 Evidence supporting implementation of measures identified in the physical security plan such as: training records work orders photographic evidence visual verification direct observations 67

88 CIP Suggested Evidence R6 Dated documentation of unaffiliated third-party dated review of entity s R4 evaluation and R5 security plan(s) Dated documentation of unaffiliated third-party dated review of entity s R4 evaluation and R5 security plan(s) Documentation of recommendations or statement indicating no recommendations Documentation of changes in response to recommendation(s) and/or rationale for declining recommended change(s) 68

89 COM Replaces COM for voice communications Data communication will be covered by revised TOP standards filed at FERC (NOPR issued) New Applicable Registered Entities Distribution Provider, Generator Operator 69

90 COM Definitions Interpersonal Communication Any medium that allows two or more individuals to interact, consult, or exchange information Alternate Interpersonal Communication Any Interpersonal Communication that is able to serve as a substitute for, and does not utilize the same infrastructure (medium) as, Interpersonal Communication used for day-to-day operation. Caution: VoIP and often rely on same infrastructure 70

91 COM R1 and R2 RC must have primary and designate Alternate Interpersonal Communications with all internal TOPs, BAs, and adjacent RCs. R3 and R4 Each TOP must have primary and designate Alternate Interpersonal Communications with the RC, BA, and all adjacent TOPs New R3 Each TOP must have primary Interpersonal Communication with each DP and GOP Are you sure phone list 100% complete? 71

92 COM R5 and R6 Each BA must have primary and designate Alternate Interpersonal Communications for the RC, each TOP that operates facilities in that BA (metered boundaries), and adjacent BAs New R5 each DP in its area, each GOP that operates facilities in its BA R7- Each DP shall have Interpersonal Communication with the TOP and BA R8- Each GOP shall have Interpersonal Communication with the TOP and BA 72

93 COM Evidence examples R1 through R8 Physical installation Equipment specifications, test records, voice recordings, electronic communications 73

94 COM R9 Each TOP, BA, and RC shall test its Alternate Interpersonal Communication each calendar month If failed, have 2 hours to initiate action to repair or designate replacement R10 If primary Interpersonal Communication failed, 60 minutes to notify entities in R1, R3, R5 of detection if it lasts 30 minutes or longer. - When does 60 minutes begin? R11 Each DP and GOP detecting a failure should consult with affected parties and agree on restoration plan 74

95 COM Evidence examples Phone test records, log entries Ensure action taken to initiate repair within 2 hours Clear notification of others within 60 minutes If many others may need to start this process before 59 minutes Starts when the detection occurs (not after the 30 minutes) For DPs and GOPs, ensure communication and agreed upon plan is documented (or recorded) 75

96 COM Data Retention Requirements Written Documentation 12 calendar months Voice recordings Last 90 days 76

97 PRC Only changes to R9, R10, and a new R15 R9 Each UFLS entity shall provide automatic tripping of Load in accordance with the UFLS program design and schedule for implementation, including any Corrective Action Plan, as determined by its Planning Coordinator in each PC area in which it owns assets UFLS Entity must implement Corrective Action Plans PC could develop a Corrective Action Plan as a result of a study or an event 77

98 PRC R10 Each TO shall provide automatic switching of its existing capacitor banks, Transmission Lines, and reactors to control over-voltage as a result of underfrequency load shedding if required by the UFLS program and schedule for implementation, including any Corrective Action Plan, as determined by the PC in each PC area in which the TO owns transmission. Ensures that any voltage issues are addressed PC develops Corrective Action Plans based on a study or an event 78

99 PRC Evidence Relays properly set to the PC s UFLS plan Relay setting printouts UFLS relay tests, etc. Switching scheme logic or plans Making changes within the implementation plan as specified by the PC 79

100 PRC R15: If PC conducts a design assessment and determines that performance criteria not met: If a 5 year assessment is performed, assessment should include the Corrective Action Plan and a schedule for implementation (implementation may take longer) If a post-event assessment is performed, Corrective Action Plan developed within 2 years PC develops the schedule; UFLS entities must follow it 80

101 FAC TOs must all have Facility Interconnection requirements GOs with executed agreements must develop Facility Interconnection requirements within 45 days New standard has simpler list of requirements (R3) Procedures for coordinated studies of new or materially modified existing interconnections and their impacts on affected systems Procedures for notifying those responsible for the reliability of affected systems of new or materially modified existing interconnections 81

102 FAC R1- Same new material modification discussion R1- Each TP and each PC SPP RE expects both parties approve if a coordinated study is done GOs, TOs, and DPs must have evidence of coordination with the TP and PC (for example, provided needed data and modeling information) GOs have an explicit requirement to ensure studies done before adding to its facilities. 82

103 MOD Glossary Term Revisions Demand Side Management All activities or programs undertaken by any applicable entity to achieve a reduction in Demand. Total Internal Demand The Demand of a metered system, which includes the Firm Demand, plus any controllable and dispatchable DSM Load and the Load due to the energy losses incurred within the boundary of the metered system. 83

104 MOD Combined the following standards MOD MOD MOD MOD MOD MOD was removed as it was identified as dealing with the operational time frame and should not be addressed with the other standards since they were applicable to the planning horizon MOD

105 MOD Applicable Entities Planning Authority and Planning Coordinator (hereafter collectively referred to as the Planning Coordinator ) Transmission Planner Resource Planner Balancing Authority Load-Serving Entity Distribution Provider 85

106 MOD Overview of Requirements R1- Planning Coordinator or Balancing Authority that identifies need for model data shall: Issue data request to applicable entities in its area R details of data requested and timeline to provide Evidence - dated data request from PC or BA 86

107 MOD Overview of Requirements R2- Each Applicable Entity identified in R1 provide data in accordance with R1 specifications and timeframe Evidence - dated transmittal to PC or BA R3- Planning Coordinator or Balancing Authority provide data collected under R2 to applicable Regional Entity within 75 days of request Evidence - dated transmittal to RE within time frame of R3 87

108 MOD Requesting Data R4 Any Applicable Entity shall, in response to a written request for the data included in parts of Requirement R1 from a Planning Coordinator, Balancing Authority, Transmission Planner or Resource Planner with a demonstrated need for such data in order to conduct reliability assessments of the Bulk Electric System, provide or otherwise make available that data to the requesting entity This is a change and allows more access to data by the industry Timeframe of 45 days to provide data R4.1 provision to not provide data 88

109 MOD-031 Summary Provides PC and TP the authority to collect actual Demand and Demand Side Management Ensures historical and forecasted demand and energy information, forecasts, and assumptions are available to the parties that perform reliability studies/assessments Compares historical and forecasted Demand Consistent documentation and information sharing activities Supports effective planning practices to correctly identify needed system upgrades 89

110 Questions Please feel free to ask Greg Sorenson Senior Compliance Engineer Steven Keller Lead Compliance Specialist-CIP

111 2016 Implementation Plan September 29, 2015 Jeremy Withers, Senior Compliance Specialist Jim Williams, Lead Compliance Specialist

112 IMPLEMENTATION PLAN HIGHLIGHTS 2

113 What is the CMEP Implementation Plan? Electric Reliability Organization (ERO) Compliance Monitoring and Enforcement Program Implementation Plan (IP) is the annual operating plan In 2014, NERC began to consolidate the IP with the Regional Entities as Appendices SPP RE is Appendix A6 3

114 ERO Implementation Plan NERC is responsible for collecting and reviewing the RE s IPs During the implementation year, NERC or an RE may update the IP 4

115 Appendix A6 SPP RE 2016 Highlights Staffing - Two open positions, reduced enforcement staff, filled CIP Compliance Specialist position in 2015 Inherent Risk Assessments (IRA) schedule SPP RE completed 24 IRAs for Registered Entities on 2015 audit schedule By the end of 2015, SPP RE will complete IRAs for Registered Entities on 2016 schedule By the end of 2016, SPP RE will complete IRAs for remaining Registered Entities CIP monitoring will focus on Registered Entities with high and medium impact BES Cyber Systems SPP RE CIP staff will continue CIP V5 outreach 5

116 Appendix A6 SPP RE 2016 Highlights Security Reliability Program will transition from NERC to REs Periodic data submittals still required SPP RE has identified Self-Certification requirements on either a quarterly or annual basis 6

117 Appendix A6 SPP RE 2016 Highlights SPP RE will continue to engage Registered Entities that request: Internal Control Evaluations (ICE) In conjunction with a monitoring activity Outside a scheduled monitoring activity Self-Logging A Registered Entity assessment will be performed before granting the ability to self-log 7

118 Coordinated Oversight Registered Entities that are registered in multiple regions are called Multi-Region Registered Entities (MRREs) - MRREs may not have the same NCR number but could be under the same parent company MRREs may request to be in the Coordinated Oversight Program The affected or associated REs will select a Lead RE to implement the MRRE s compliance program SPP RE is the Lead RE for three MRREs SPP RE is the Affected RE for 10 other MRREs 8

119 ERO Reliability Assessment Regional Reliability Assessment Registered Entity Assessment/ Monitoring Scope ERO RELIABILITY ASSESSMENT 9

120 Risk-Based Compliance Oversight In 2016, risk-based compliance oversight framework will continue Focuses on identifying, prioritizing, and addressing BPS risks SPP RE is responsible for assessing Registered Entities risks through IRA and tailoring monitoring activities: Monitoring method (Audit, Spot-Check or Self- Certifications) Frequency Scope 10

121 Risk-Based Compliance Oversight Framework Identify the Risk Elements that are applicable to the Registered Entity to determine the initial monitoring scope 11

122 Development of Risk Elements NERC identified risk elements by using data including but not limited to: Compliance findings Event analysis Data analysis Expert judgement of NERC, RE staff, and committees SPP RE developed RE-specific risk elements by using: Compliance findings in SPP RE footprint Regional system events SPP RE staff s professional judgement 12

123 Critical Comparison of 2015 and 2016 ERO Risk Elements 2015 Risk Elements 2016 Risk Elements Cyber Security Critical Infrastructure Protection Extreme Physical Events Extreme Physical Events Infrastructure Maintenance Maintenance and Management of BPS Assets Monitoring and Situational Awareness Monitoring and Situational Awareness Protection System Misoperations Uncoordinated Protection Systems Protection System Failures Long Term Planning and System Analysis Event Response/Recovery Planning and System Analysis Human Error Human Performance Workforce Capability (N/A for 2016) 13

124 2016 ERO Risk Elements Critical Infrastructure Protection Standard Requirements Functions Asset Type CIP R1, R2 BA, GOP, GO, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers, Substations, Generation Facilities CIP R1, R2 BA, GOP, GO, RC, TOP, TO CIP R1, R2, R3 BA, RC, TOP, TO CIP R1,R2, R3, R5 BA, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers, Substations, Generation Facilities Control Centers, Backup Control Centers, Data Centers, Substations Control Centers, Backup Control Centers, Data Centers 14

125 2016 ERO Risk Elements Extreme Physical Events Standard Requirements Functions EOP R1, R3 RC, TOP CIP R1, R2 TO Maintenance and Management of BPS Assets Standard Requirements Functions FAC R6 GO, TO PRC-005-2(i) R3, R4, R5 DP, GO, TO 15

126 2016 ERO Risk Elements Monitoring and Situational Awareness Standard Requirements Functions IRO a R1, R2 RC TOP R1, R2, R7 BA, RC, TOP Protection System Failures Standard Requirements Functions PRC (ii) R3, R4, R5 GOP, TOP PRC (i) R1, R2 DP, GO, TO 16

127 2016 ERO Risk Elements Event Response/Recovery Standard Requirements Functions EOP b R1, R2, R3 BA, TOP TOP R1, R2, R3, R4 RC, TOP Human Performance Standard Requirements Functions COM R2 RC, TOP, BA PER R2, R3 RC, TOP, BA 17

128 2016 ERO Risk Elements Planning and System Analysis Standard Requirements Functions EOP R4 BA TPL R1, R2, R3, R4 PC, TP FAC R1, R5 RC, TOP 18

129 ERO Reliability Assessment Regional Reliability Assessment Registered Entity Assessment/ Monitoring Scope SPP RE ASSESSMENT 19

130 SPP RE Regional Monitoring Scope Plan SPP RE developed a 2016 Monitoring Scope Plan that identifies risk elements in SPP RE footprint 1. Facility Ratings 2. Restoration 3. Frequency Response 4. Voltage Support 5. Operational Planning 6. New Standards for Critical Infrastructure Protection 20

131 SPP RE Ops & Planning Risk Elements Standards Requirements Applicable SPP RE Risk Functions Element Justification BAL R1 BA Frequency Response Frequency Response, New Standard COM R3, R9 TOP New Standard New Standard October Communication COM R1, R5, R6 BA, RC, TOP New Standard New Standard July Human Performance EOP R6, R10 TOP Restoration Verify restoration plans EOP R4 BA, TOP Restoration Backup site functionality FAC R1, R2, R3 GO Facility Ratings Facility Ratings PER R3, R4 RC, TOP, BA, TO New Standard New Standard July 2016 Human Performance PRC R1, R2 DP, GO, TO New Standard New Standard July Protection System PRC b R1, R2 DP, GO, TO Maintenance Dual Program with PRC-005-2(i) PRC-005-2(i) R1 DP, GO, TO Maintenance Underlying program for R3, R4 PRC-005-3(i) R1, R3, R4, R5 DP, GO, TO New Standard New Standard April Maintenance PRC R8, R9 TO, DP Frequency Response UFLS TOP b R6, R11, R19 TOP Operations Planning Situational Awareness VAR R2 TOP Operations Planning Situational Awareness VAR R1, R2 GOP Voltage Support AVR 21

132 Expanded ERO Risk Elements Planning and System Analysis Standard Requirements Functions PRC b R1, R2 Maintenance and Management of BPS Assets 22

133 SPP RE Risk Elements SPP RE CIP Risk Elements Standards and Requirements Standard Requirements Applicable Functions SPP RE Risk Element Justification CIP R4 BA, DP, GOP, GO, RC, TOP, TO Critical Infrastructure Protection Essential to detecting and mitigating a possible compromise of a High or Medium Impact BES Cyber Asset/System CIP R2 BA, DP, GOP, GO, RC, TOP, TO Critical Infrastructure Protection Essential to detecting and responding to a Cyber Security Incident involving a High or Medium Impact BES Cyber System CIP R1 BA, DP, GOP, GO, RC, TOP, TO Critical Infrastructure Protection Essential to detecting and mitigating a possible compromise of a High Impact BES Cyber Asset/System 23

134 2016 SPP RE Monitoring Method and Frequency Monitoring methods will be determined by the Inherent Risk Assessment On-site audits for Transmission Operators (TOPs) and Balancing Authorities (BAs) on 3-year cycle Ops & Planning will conduct off-site audits or Spot Checks for non-ba/top entities Non-BA/TOP Registered Entities that had an audit in 2010 or registered within the last two years. CIP will not conduct audits for Registered Entities with low impact BES Cyber Systems 24

135 2016 SPP RE Monitoring Tools Self-Certification SPP RE will continue to require Registered Entities to perform a Self-Certification to ensure compliance with Reliability Standards 2016 NERC IP has not identified Reliability Standards and requirements that require Self-Certification SPP RE has identified requirements based on the Scope Plan Self- certification will be conducted using webcdms Coordinated Oversight Registered Entities will follow the Lead Region s IP 25

136 2016 SPP RE Monitoring Tools Periodic data submittal 2016 NERC IP does not identify requirements that require periodic data submittals SPP RE does identify requirements that require periodic data submittal requirements SPP RE, SPP RTO, Lead Region, and MISO will collect them on a monthly, quarterly, or annual basis 26

137 ERO Reliability Assessment Regional Reliability Assessment Registered Entity Assessment/ Monitoring Scope REGISTERED ENTITY ASSESSMENT & MONITORING SCOPE 27

138 Inherent Risk Assessment jim NERC developed Inherent Risk Assessment (IRA) Guide and Internal Control Evaluation (ICE) Guide 28

139 SPP RE Inherent Risk Assessment To develop the monitoring scope, SPP RE will perform IRAs for Registered Entities scheduled for 2016 monitoring The assessment criteria will review Registered Entity s Risk Factors: Risk Factors Registration Geography/ Climate Vegetation Management Load and Generation Transmission History (Audit period) Events Blackstart SCADA Environment Risk Factor Attributes Registered Functions Terrain Applicable facilities Peak Load, Total Generation, Control Centers, Customers. Voltage, Length over 100kV, Interconnections, Flowgates, SPS, UFLS. Previous Violations EEA's, Events Reported General System Restoration, Blackstart Generation, Cranking Path SCADA/EMS, ICCP Association, PSP and ESP Access 29

140 Inherent Risk Assessment Compliance Oversight Plan The entity assessment of Acme Power Company was performed to identify the monitoring and scope of the compliance engagement for The assessment of the attributes identified the levels of risk for the entity to the BES and the Regional Entity s footprint. SPP RE determined that an on-site audit of Acme Power Company will be conducted on May 9 12, 2016 in accordance with NERC Rules of Procedure, The engagement scope is based on the Risk Elements from the NERC 2015 Implementation Plan and the 2015 SPP RE Audit Scope Document applicable to the entity s registered functions. SPP RE evaluated 35 risk attributes from the ERO Enterprise Inherent Risk Assessment Guide. The results were nine (9) high risk, eleven (11) moderate risk, twelve (12) low risks, and three (3) not applicable. The monitoring scope includes 30 standards with 70 requirements, see Attachment 1. Monitoring Method Date Frequency of IRA Next Monitoring O&P/CIP Audit May 9, 2016 Audit 3 year cycle May

141 Inherent Risk Assessment Registration Registered functions, identify the entity s RC, BA, TOP JRO/CFRs What function, requirements and responsible entity Compliance History Previous violations, discovery method, mitigated Technical Assessment Risk factors, transmission and generation CIP Data SCADA, workstations Technical Feasibility Exceptions Requirements, current status, devices Internal Control Evaluation Performed - Std/Req, date, control implementation Monitoring Scope Attachment 1 Reference Documents Risk Assessment Questionnaire, previous audit reports, self-certifications Event Review summary of event Enforcement Mitigation Assessment Mitigation milestones Registered Entity Assessment Revision History 31

142 Inherent Risk Assessment Technical Assessment 32

143 Inherent Risk Assessment 33

144 Internal Controls Evaluation 34

145 Internal Control Evaluation (ICE) NERC has posted an ICE Guide ICE is a voluntary program Registered Entities may elect to have their internal controls evaluated If a Registered Entity elects not to participate in ICE or doesn t have internal controls, SPP RE will monitor per usual If an ICE is performed, the ICE will not change the audit scope but could impact audit fieldwork 35

146 Key Points for 2016 Monitoring scope will continue to include a review of all mitigation plans open during audit period SPP RE will determine Registered Entity s scope based on: ERO-wide Risk Elements SPP RE Risk Elements SPP RE Registered Entity IRA SPP RE staff s professional judgment 36

147 Audit Scope Expansion Compliance team may expand scope during monitoring activities based on: Team s professional judgment Discovery of non-compliance during evidence review Will notify Registered Entity of an expansion in scope as soon as possible 37

148 Registered Entities are responsible for compliance with all enforceable Reliability Standards and Requirements in effect per their registered function at all times, regardless of what a Registered Entity s risk profile may indicate. 38

149 2016 Monitoring Schedule O & P NCR Number Entity Name Type of Audit NCR01061 Board Of Public Utilities (Kansas City KS) (BPU) On-Site NCR11407 Buffalo Dunes Wind Project, LLC (BDWP) Off-Site NCR11354 Canadian Hills Wind, LLC (CHW) Off-Site NCR01067 Carthage Water & Electric Plant (CAWEP) Off-Site NCR06033 City Of Abbeville (ABBEVLA) Off-Site NCR01071 City Of Clarksdale, Mississippi (CCM) Off-Site NCR06034 City Of Minden (MINDENLA) Off-Site NCR01083 Cleco Corporation (CLECO) On-Site NCR01092 Eastman Cogeneration Limited Partnership (EASTMAN) Off-Site NCR11314 Flat Ridge 2 Wind Energy LLC Off-Site NCR01072 Independence Power & Light (Independence,Missouri) (INDN) On-Site NCR11329 KODE Novus Wind I, LLC Off-Site NCR06050 Mississippi Delta Energy Agency (MISSDEA) Off-Site NCR11264 Post Rock Wind Power Project, LLC Off-Site NCR01139 Public Service Commission Of Yazoo City (YAZO) Off-Site NCR06010 Rayburn Country Electric Cooperative, Inc. (RCEC) Off-Site NCR11322 Spearville 3, LLC (SPEAR3) Off-Site NCR11323 Spinning Spur Wind, LLC (SPINSPUR) Off-Site NCR00658 Westar Energy, Inc. (WR) On-Site 39

150 2016 Monitoring Schedule - CIP NCR Number Entity Name Type of Audit NCR00658 Westar Energy, Inc. (WR) On-Site NCR01114 Lafayette Utilities System (LAFA) On-Site NCR01116 Louisiana Energy & Power Authority (LEPA) On-Site NCR06048 Lubbock Power And Light (LPLTX) On-Site NCR01148 Sunflower Electric Power Corporation (SECI) On-Site NCR01155 The Empire District Electric Company (EDE) On-Site NCR01083 Cleco Corporation (CLECO) On-Site NCR01118 Midwest Energy, Inc. (MIDW) On-Site 40

151 SPP RE Documents SPP.org>Regional Entity>Compliance & Enforcement> 2016 Compliance Program folder will be populated with relevant documents: - Monitoring schedules Reporting Requirements Monitoring Scope Plan - Registered Entity Risk Assessment Questionnaire * When the new SPP.org launches this fall, SPP.org links will change 41

152 Reference Documents NERC.com Compliance Resources page SPP.org > Regional Entity > Risk Based Compliance Monitoring and Enforcement for more info on ICE, IRA, Self-Logging, etc. 42

153 Jeremy Withers, Senior Compliance Specialist James Williams, Lead Compliance Specialist

154 Internal Controls Tiffany Lake WESTAR Terri Pyle OG&E Jim Nail - IPL

155

156 Compliance a: the act or process of complying to a desire, demand, proposal, or regimen or to coercion b : conformity in fulfilling official requirements (Merriam Webster definition) In other words..the things we do to fulfill the Requirements of the NERC Standards.

157 Internal Controls systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to.deter and detect errors.ensure accuracy and completeness of its data..and ensure adherence to its policies and plans. (Business Dictionary.com) In other words. Internal Controls are those additional things we do to ensure our Compliance activities Get Done On Time Get Done Correctly Get Documented Properly

158 Internal Controls come in many shapes and sizes Processes and Procedures Checklists Spreadsheets Calendar/ reminders Training and Qualification

159 Westar Energy s Approach to Internal Controls Traditional vs. Risk-Based Compliance Approach What is the impact to Westar Energy? Roles and Responsibilities Assessing Process-Level Risks Identifying Internal Controls SPP RE FALL COMPLIANCE WORKSHOP 6

160 Transition to Risk-Based Compliance Traditional Approach Review all applicable standards every year Collect evidence Conduct testing Update RSAWs Risk-Based Compliance Review higher risk standards Utilize internal risk assessment results Collect evidence Conduct testing Conduct process-reviews Identify and prioritize processlevel risk Identify and document internal controls Perform gap analysis NERC 693 COMPLIANCE WORKSHOP 7

161 How does Risk-Based Compliance Impact Westar? Focus resources on higher risk areas Positive effect on reliability Better internal controls and management processes Incorporate 2015 lessons learned into 2016 work plan CIP Audit April Audit November 2016 NERC 693 COMPLIANCE WORKSHOP 8

162 Roles and Responsibilities Internal Audit NERC Compliance Business Units SPP RE FALL COMPLIANCE WORKSHOP 9

163 Assessing Process-Level Risks Review reliability-related processes Misoperations Transmission Vegetation Management Identify process-level risks Perform a risk assessment Document risks SPP RE FALL COMPLIANCE WORKSHOP 10

164 Identifying Internal Controls 11 Identify and document existing internal controls Perform a gap assessment Implement internal controls where necessary SPP RE FALL COMPLIANCE WORKSHOP

165 Tiffany Lake Manager, NERC Reliability (785) SPP RE FALL COMPLIANCE WORKSHOP 12

166 OG&E Approach OG&E Compliance Progression Risk-Based Approach Risk Assessment Process Review & Mapping Internal Controls Documenting Internal Controls Current Focus Areas Benefits Examples OG&E

167 OG&E Compliance Process Progression Foundation - Compliance Management Program Compliance Management Tool - Define compliance, Collect evidence, Update RSAWs Compliance Assurance Process (CAP) Procedures, Process Flow Charts, Trained SMEs, Documented Evidence, RACIs, Controls Risk-Based Approach Documented risk assessment emphasis on higher risk areas In depth process review and mapping Identify and document new internal controls 14 OG&E

168 Risk Assessment Considerations NERC Risk Elements SPP Risk Elements Top 10 Most Violated Standards Standard VRFs Audit and Self-Certification Lists NERC Projects pending Standards Past OG&E Compliance History Compliance Assurance Process (CAP) Score Other OG&E

169 Process Review and Mapping Process Mapping Detailed review with process owners Understand how work is done Incorporate compliance requirements Identify touch points within processes Business groups NERC Standards Include controls already in place Identify weak areas in the process and develop new controls OG&E

170 Internal Controls Level Entity Process Compliance assurance Type Preventive Detective Corrective Application Automated Manual Hybrid Frequency Daily Weekly Monthly Quarterly Annually OG&E

171 Documenting Internal Controls Start with what you have Review processes to identify new controls Consider process mapping as a tool OGE Internal Controls Spreadsheet - CIP Standard Req. NERC Risk Element SPP Risk Element OGE Risk Ranking (High, Medium, Low) Requirement Text Internal Control ID Control Title Control Area Internal Control Description Goal of Controls Control Type (Preventative, Detective, Corrective) Control Application (Automated, Manual, Hybrid) Control Frequency (e.g. real-time, daily, monthly, quarterly, annual, etc.) Control Owner OG&E

172 Current Focus Areas OPS (693) CIP Facility Ratings Operations Personnel Training Misoperations Recovery Plans Change Management OG&E

173 Benefits Better understanding of internal processes Improved processes Better defined roles and responsibilities Improved compliance assurance Improved reliability OG&E

174 Terri Pyle Manager, NERC Compliance (405)

175 Municipal Utility Registrations: TO/TOP/GO/GOP/TP/RP/DP/LSE 26 miles of 161KV Transmission 4 BES Substations 1 BES Generation asset

176 Risk Assessment IPL system design very stable Maintenance program effective Program documents stable System events very rare Biggest risk is Awareness

177 Approach to Internal Controls Management focused Lead Team, Reliability Team, CIP Team Monthly meetings with division managers and primary SMEs Develop tools (spreadsheets, checklists, procedures) to help supervisors monitor performance of compliance activities

178 Examples

179 CMT: Compliance Event Form OG&E

180 CMT: Compliance Event Modification Form OG&E

181

182

183

184 PER-005-1: Checklist for New Tasks or Identified Task Modifications OG&E

185

186 PER-005-1: Review and Management of Training Process OG&E

187 Facility Ratings Process Map and Standard Touchpoints OG&E

188

189 Other Internal Control Examples Monthly CIP Team Meetings Review changes that could impact CIP compliance Monthly Blackstart Restoration Calls Review system changes that could impact plan Flowgate application in SCADA EMS Displays permanent and temporary flowgates and alerts Anti-virus software with automated removal and alerting

190 Questions?

191 Mitigation Expectations Simran Ahuja, NERC Senior Compliance Enforcement Analyst SPP RE 2015 Fall Workshop September 30, 2015

192 Goals Mitigation Root Cause Prevention 2 RELIABILITY ACCOUNTABILITY

193 Risk-based CMEP Noncompliance processed in accordance with the risk to the BPS Formal Mitigation Plans are not required in all circumstances Complete Reporting Efficient Mitigation Risk Reduced Quickly 3 RELIABILITY ACCOUNTABILITY

194 Process Flow Registered Entity Regional Entity NERC FERC 4 RELIABILITY ACCOUNTABILITY

195 Collaboration 5 RELIABILITY ACCOUNTABILITY

196 Contents Section 6.0 of CMEP Point of Contact Scope and description Cause of violation Action plan 6 RELIABILITY ACCOUNTABILITY

197 Contents Contd. Prevention of recurrence Expected completion date Interim risk reduction Prevention of future risk 7 RELIABILITY ACCOUNTABILITY

198 Submittal May be submitted anytime Sooner fixed sooner completed Shall be submitted within 30 days of NAVAPS 8 RELIABILITY ACCOUNTABILITY

199 Mitigation Activities Acceptable for any disposition track FFTs and Compliance Exceptions with ongoing mitigation activities - complete within 12 months from date of posting 9 RELIABILITY ACCOUNTABILITY

200 Scope and Root Cause Facts and circumstances Standard and Requirement Discovery method Define scope Root Cause 10 RELIABILITY ACCOUNTABILITY

201 Corrective Actions Address instant issue Address root cause Primary focus to correct issue and restore compliance 11 RELIABILITY ACCOUNTABILITY

202 Preventive Actions Procedural and technical internal controls Detective controls Example - Updating procedures and training on new procedures Lessens the likelihood of violating same Standard and Requirement again 12 RELIABILITY ACCOUNTABILITY

203 Milestones and Timetable Timetable for completion If expected completion date is > 3 months from date of submittal, then set milestones at least every 3 months Request for extension Submit at least 5 business days before the original milestone or completion date Communication! 13 RELIABILITY ACCOUNTABILITY

204 Milestones and Timetable Contd. Expected Completion Date When all Corrective Actions including any milestones will be completed End of noncompliance vs. mitigation completion date Duration may affect penalty calculation Prevention of recurrence vs. above and beyond 14 RELIABILITY ACCOUNTABILITY

205 Interim and Future Risk Critical for plans with longer durations Risks to the BPS while mitigation is in progress Actions should prevent or minimize risk to BPS 15 RELIABILITY ACCOUNTABILITY

206 Regional Entity Review and Acceptance RE reviews within 30 days from receipt Issue written statement accepting/rejecting Otherwise deemed accepted Notify registered entity and NERC accepted/rejected/extended Accepted Mitigation Plan to NERC within 5 business days 16 RELIABILITY ACCOUNTABILITY

207 NERC Review and Approval NERC reviews within 30 days from receipt Issue written statement approving/rejecting Otherwise deemed approved Notify registered entity and RE approved/rejected/extended Approved Mitigation Plan to FERC as non-public information within 7 business days 17 RELIABILITY ACCOUNTABILITY

208 Completion Update RE on milestones and progress of Mitigation Plans Provide certification of completion to RE Signed by an officer, employee, attorney, or other authorized representative Include data or information sufficient to verify completion Examples o Training records, change management records, revised procedures, testing and maintenance records, patch assessment records, screenshots, list of users/access list 18 RELIABILITY ACCOUNTABILITY

209 ERO Mitigation Plan Guide - Checklist Mitigation Plan Checklist 19 RELIABILITY ACCOUNTABILITY

210 References ERO Mitigation Plan Guide - April 2014 Revision to be completed by end of year Appendix 4C to the Rules of Procedure Compliance Monitoring and Enforcement Program 20 RELIABILITY ACCOUNTABILITY

211 Conclusion Corrects issue to protect the reliability of the BPS Thorough mitigation Timely mitigation Faster disposition and processing Bonus: The sooner you fix it, the sooner you can be done with it! 21 RELIABILITY ACCOUNTABILITY

212 22 RELIABILITY ACCOUNTABILITY

213 General Manager s Report Sept. 30, 2015 Dallas, TX Ron Ciesiel SPP RE General Manager

214 SPP RE Violations By Year 2

215 YTD - Violation Dispositions 3

216 Winter Event Data Request FERC asked four REs to submit responses to questions concerning winter performance for Jan 7-9 and Feb 15-20, Response due 9/29/15 SPP did not have any hour exceeding 1,710 MW of outages Median MW outages of both time periods did not exceed 918 MW per hour Majority of outages due to natural gas curtailment Only two units experienced outages that previously experienced outages during the 2014 polar vortex 4

217 Total SPP RE Events for 2015 Nine Events - Four events reached Category 1 status - One event reached Category 2 status - Four did not reach Category status and were not analyzed via the Events Analysis process SPP RE Regional Events 3Q (through 9-21) One category 2b. Complete loss of monitoring or control, at a control center for 30 min. 5

218 SPP RE Misoperation Report as of Q2-15

219 50 YEAR ANNIVERSARY THE 1965 NORTHEAST BLACKOUT DAVE CHRISTIANO SPP RE

220 WHAT YOU KNOW First big one of them all Long lasting impacts Led to formation of NERC Led to legend Where were you when the lights went out? Led to a baby boom SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 3

221 WHAT YOU MAYBE DIDN T KNOW Similar initiating incident as in 2003 blackout Similar flow results as in 2003 blackout The first real regional blackout occurred in the Missouri Basin Area in January 1965 SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 4

222 SETTING THE STAGE (1) During and post-war boom in industrial growth and electricity demand Economies of scale and tech advancements reducing cost of electricity lowest in 1970 Emphasis on reliability not economics - interconnections SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 5

223 SETTING THE STAGE (2) Mostly pre-computer age (IBM 360 first delivered in 1965, 8-64k) SCADA primitive, mostly analog Nothing close to real time data sharing SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 6

224 SETTING THE STAGE (3) No formal interconnection coordination Interconnected Systems Group NAPSIC Operating Guide 9 Action in Emergency (1964) (all of one page long; ironically approved in Niagara Falls) Niagara Falls development AC/DC battles About 4500 MW installed at Beck (Ontario) and Moses (NY) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 7

225 SETTING THE STAGE (4) Relays all analog; requiring frequent maintenance Underfrequency relaying limited to tie lines, generators No underfrequency load shedding 1951 Overcurrent backup relays installed at Beck Relays reset to broaden their protection (375 MW setting ; less than line rating) Operators were unaware of this setting (2011 Southwest Blackout lack of awareness of transformer protection and Special Protection System trip points contributing factor) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 8

226 BIRD S EYE VIEW (MAP FROM 2003 BLACKOUT REPORT) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 9

227 SUPER SIMPLIFIED ELECTRICAL DIAGRAM. NIAGARA AREA SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 10

228 PRE CONTINGENCY Beck (Ontario) generation MW Niagara (NY) generation MW Net power schedule into Ontario MW Initial flow north to Beck MW Net flow north of Beck on five 230 kv lines approx MW (but not equally loaded) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 11

229 SEQUENCE OF EVENTS (1) 5:16:11 p.m. first 230 kv line (Q29BD) north of Beck trips (no fault) +0.9 sec. to +2.7 sec. four remaining 230 kv lines trip Net result 2270 MW flowing into Ontario reverses into New York Beck and Moses units drop power, accelerate, then increase power -> huge oscillations result SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 12

230 R-O-W OUTAGES X (1965 AND 2003) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 13

231 SIMILARITY TO 2003 BLACK-OUT SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 14

232 SEQUENCE OF EVENTS (2) +3.3 sec. PASNY - Saunders (Massena) 230 kv line trips +3.5 sec. 115, 230 kv lines trip between NY and PJM +3.6 sec. Both west east 345 kv lines trip (and all parallel 115 kv) - Con Ed -> PJM tie trips New York, New England and Ontario island SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 15

233 SEQUENCE OF EVENTS (3) 5:17:15.1-5:18:01 10 Beck units trip (low oil pressure) and 5 Moses units trip (overspeed) Numerous islands form all with mismatch of generation and load No underfrequency load shedding Would it have saved the system? SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 16

234 RESTORATION Unprecedented in scope and complexity Few black start plans since most utilities had never faced this situation SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 17

235 EFFECTS 30 million people affected Some suspected it was the Russians 600,000 stranded in NYC subways; Massive traffic jams Huge economic impacts NERC would be formed SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 18

236 FPC RECOMMENDATIONS (1) 1. Better relaying at Beck review of overall design and operations (PRC-023, PRC-004) 2. Closer relationships between Canada/US (NERC) 3. Stronger transmission networks and interconnections 4. Establish planning and operating groups for intersystem coordination (RTO groups) 5. Perform stability studies (TPL-001-4) 6. Immediate check and frequent reviews of relay settings (PRC-023, PRC-025) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 19

237 FPC RECOMMENDATIONS (2) 7. Review reserve margins (generation and transmission) (BAL-001, -002, MOD-004, -008) 8. When economics and reliability conflict security gets heavy weighting (EOP-002) 9. Generator response needs consideration (FAC-002, PRC-006, many MOD) 10. Industry-wide study of equipment during emergency conditions (EOP-005) 11. Load shedding should be considered (EOP-003) SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 20

238 FPC RECOMMENDATIONS (3) 12. Review training on emergency procedures (EOP-005, EOP-008, PER-005) 13. Recording equipment and black-start equipment (EOP-005, PRC-018) 14. Essential Customers should arrange for aux power supply 15. NY City subways develop evacuation plans 16. Elevators need mechanical backup SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 21

239 FPC RECOMMENDATIONS (4) 17. Communications facilities should be developed with auxiliary power sources (COM-001-1, EOP-008) 18. Gas stations need a way to pump gas without power 19. Suggest federal legislation to regulate the grid Thirteen Recommendations by the Advisory Panel SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 22

240 50 YEARS LATER Those who cannot remember the past are condemned to repeat it. George Santayana Could it happen again? As Smoky says, Only you can prevent Questions? SPP RE Fall Seminar - Dallas, Texas 9/30/2015 Page 23

241 FPC 1965 Blackout Recommendations Chapter VI RECOMMENDATIONS We make the recommendations set out below on the basis of our study to date. A panel of experts has also independently adopted a series of recommendations for interim and permanent actions to be taken by the affected utilities to avoid recurrence of major power failures, which support our own recommendations. A copy of the panel s recommendations is attached as Appendix F. The Commission s recommendations are partial and tentative. We are proceeding to determine whether there are any additional changes in facilities or operational procedures in the affected area which 1. Measures have already been taken by Ontario Hydro to prevent the same relays from triggering another power failure. A number of the other affected utilities have also taken numerous precautions to avoid a recurrence of the series of events which resulted in the blackout. While we are unable to say that another blackout of similar magnitude is impossible, we regard the possibility of a recurrence as remote. The completion of the stability studies which have been initiated will offer a better basis for appraising the risks of a widespread blackout in the northeast and the measures required to avoid such a possibility. We recommend that all utilities, individually and collectively, reexamine the overall design and operation of their power systems. 2. The blackout, while it makes plain the need for full coordination between Ontario Hydra and the interconnected United States systems, also demonstrates the readiness of these systems to work together on electric energy problems. We recommend even closer working relationships between Canadian and U.S. operating organizations on the one hand and between Canadian and U.S. governmental authorities on the other. In this connection, the National Energy Board of Canada has been fully apprised of the various stages of the investigation and has continuously extended the utmost cooperation. 3. Isolated systems are not well adapted to modern needs either for purposes of economy or service. The power systems in the affected area are in a period of transition from isolated operation or light interconnections to strong linkages and close coordination. The system stability and freedom from outage hazard which is inherent in an integrated and coordinated power pool because of the ability of each participating system to draw on its neighbors for emergency support will be increased when the affected companies strengthen their internal transmission systems and the interties between systems. The stability of the system may also be strengthened by the proper location of generating capacity planned on a pool basis. These aspects must be considered together and constitute a parallel and closely coordinated development. There are numerous additional high voltage transmission facilities which the systems in the affected area have already agreed to build or which are under consideration both to strengthen the internal ties among generating plants and load centers within the individual systems and to strengthen the links between adjoining systems. The computer studies to which we have referred should be of assistance in determining which of these projects should be built on an accelerated priority basis. We recommend an acceleration of the present trend toward stronger transmission networks within each system and stronger interconnections between systems in order to achieve more reliable service at the lowest possible cost. 4. The systems in????? the minimum reliability of service. Achievement of this goal requires close coordination of system planning and operation, which would be easier to achieve if the companies established one or more unified planning and operating groups which made this task their primary responsibility. We recommend the delegation to such planning and operating groups of sufficient responsibility to assure the performance of those functions which require close intersystem coordination. 5. The stability studies carried out by the systems in the CANUSE area - that is, the studies of how the systems would function under emergency conditions - did not postulate an emergency of the proportions which occurred. Additional stability studies are urgently required based upon the more stringent assumptions as to credible incidents which have now been shown to be necessary, and such studies are under way. 6. The power failure demonstrated the importance of close and frequent checks of relay settings controlling major facilities. The companies concerned should make such a check immediately and establish procedures for frequent review in the light of changing circumstances. 7. In the light of the consequences of the blackout we recommend a review of the question of reserve margins both in transmission and generating capacity. We hope to make specific recommendations on this subject as the result of the studies we are carrying out. Ample reserve margins constitute an important measure of insurance against peace-time outage hazards and would have even greater value under some assumptions as to defense needs. 8. Where there is a conflict between economic and service reliability factors in power system design the need for security of service should be given heavy weighting. 9. Our preliminary investigation makes clear that the type and distribution of generating reserves available may be as important as the amount, insofar as emergency use is concerned. The utilities in the CANUSE area must make a more sophisticated evaluation of the time factor involved in the utilization of spinning reserves in order to determine the responsiveness of the components of the total spinning reserves to emergency demands. Hydroelectric generation (including pumped storage), and other generation with quick starting and load pickup characteristics, are better capable of absorbing sudden increases in load than steam power stations which have

242 slower rates of production increases. We recommend that the factor of quick responsiveness in the event of emergency should be given due consideration in the evaluation of alternative generating projects. 10. We recommend an industrywide as well as a utility-by-utility study of the adequacy of automatic equipment, communication facilities, recording facilities, and operating procedures in the dispatching and control centers and in power plants during emergency conditions. 11. It is possible that internal load shedding within the various systems involved could have prevented the complete collapse of the CANUSE network. Load shedding should be considered by the utilities along with other measures as part of their emergency operating procedures. 12. We are not in position to pass judgment on the need for improvement in emergency startup training for plant crews, although we pay tribute to their dedication and indefatigability. We recommend a thorough review of training procedures for emergencies. 13. The November 9 outage revealed the need by the utility systems for additional auxiliary power equipment to cope with systemwide outages. In some cases communication systems were dependent upon power supply from the power system itself. The same is true for automatic recording equipment and for the power required for startup of some of the steam plants. Other auxiliary facilities which were essential in restoring service were dependent upon system power supply. We recommend that the services required to limit the scope of a failure, to preserve a record of what occurred, and to enable startup of power plants in minimum time be provided with auxiliary power sources. 14. Civilian services which are deemed so essential that they cannot tolerate any interruption - that is, for which percent availability is not adequate - should arrange an auxiliary power supply. These include hospitals, airports, tunnels, draw-bridges, railroad and subway stations, some bus terminals, and basic communications services. 15. In most cases the cost of a full auxiliary power supply may be beyond its value, but in many situations it is feasible to provide a degree of protection to the public while system power supply is cut off. Thus, with respect to the Independent Subway in New York, where an alternative power supply for train operation may be impracticable, and Possibly for the other New York City subways, at a minimum a subway evacuation scheme should be developed which would make the risk of interruption tolerable. This would require auxiliary lifting facilities for stations and tunnels. 16. Elevators are a special problem. In some cases it may be feasible to install auxiliary power supply adequate to move at least one elevator at a time to evacuate passengers. As a minimum, elevators should be provided with mechanical cranks or levers m that they can be moved manually in the event of stalling between floors in a power outage. 17. Communication facilities powered from auxiliary sources should be developed so that in the event of a power failure the public may be informed promptly as to the circumstances and appropriate governmental authorities notified. 18. One of the consequences of the power failure was that motorists were unable to buy gasoline because gasoline pump were dependent upon the system power supply. We recommend to the petroleum industry that it devise a means to solve this problem in order to avoid risk of a transportation breakdown in the event of a power failure. 19. When the Federal Power Act was passed in 1935 no specific provision was made for jurisdiction over reliability of service for bulk power supply from interstate grids, the focus of the Act being rather on accounting and rate regulation. Presumably the reason was that service reliability was regarded as a problem for the states. Insofar as service by distribution systems is concerned this is still valid, but the enormous development of interstate power networks in the last thirty years requires a reevaluation of the governmental responsibility for continuity of the service supplied by them, since it is impossible for a single state effectively to regulate the service from an interstate pool or grid. The question of the need for additional legislation is under active consideration.

243 FPC Advisory Panel - Northeast Power Interruption Recommendations for Actions To Be Taken by Affected Companies To Avoid Recurrence of Major Power Failures I. Interim Measures 1. Immediately review standing instructions to operating personnel of each system supplying very large metropolitan areas relative to separation of the system from the interconnected network if system frequency drops to a predetermined value which indicates danger of loss of power supply due to trouble external to the system. Consider also the installation of automatic devices which may be available for tripping major transmission ties, noncritical load and generation, if necessary, to maintain adequate power supply to critical load Immediately undertake coordinated studies to review the adequacy of system and intersystem design and operating practices under unusually severe system disturbances comparable to the incident recently experienced. 3. Review means for assuring communications at all times between major system control centers. 4. Assess the adequacy of practices regarding the assignment of spinning reserve capacity on each system and the coordination of spinning reserve capacity among systems. 5. Investigate the feasibility of interruption of substantial blocks of non-critical load to provide effective emergency capacity when necessary. 6. Review present practices of scheduling power between systems and power pools so as to assure essential protection to critical load areas. 7. Review present relay applications. 8. Review standing procedures for restoring ties between systems so as to obtain maximum assistance for various contingencies. 9. Reexamine methods and facilities to obtain power supply for the rapid start-up of power plants shut-down by an emergency. 10. Determine steps which may be taken to prevent damage to generating units as they undergo emergency shut-down and to improve the start-up time of such units. 11. Reexamine the size of network segments and the adequacy of equipment, procedures and automatic devices to assure rapid restoration of underground urban network loads. II. Permanent Measures 1. Accelerate construction of those facilities (transmission, generation, control and communication) now planned which will contribute significantly to reliability of service. 2. Reexamine the need for additional transmission, interconnection and related facilities which would enhance reliability of service within and among the affected systems and between the affected systems and outside utilities. Approved by the Advisory Panel : C. P. ALMON, Jr. CHARLES CONCORDIA. E. B. CRUTCHPIELD. JOSEPH K. DILLARD. MORGAN DUBROW. W. S. KLEINBACH. L. F. LISCHER. G. H. MCDANIEL. T. J. NAGEL. G. O. WESSENAUER. NOVEMBER 16,1965

244 North American Power Systems Interconnection Committee OPERATING GUIDE NO. 9 Action in Emergency Approved: Fourth NAPSIC Meeting, Niagara Falls, Ontario, July 21, 1964 In a large interconnected system consisting of several pools and many systems, a temporary shortage of generating capacity in one system or even in an entire interconnected area is an everpresent op- crating possibility. Should such an emergency develop that is or may become of sufficient magnitude to affect operation throughout a significant portion of the interconnected system, a uniform understanding and approach is essential. Since it is a basic principle that each control area shall plan to provide sufficient generating capacity to carry its expected load at 60 cps with provision for adequate ready reserve and regulating margin, if the internal resources are temporarily inadequate, arrangements should be made in advance with neighboring interconnected systems or pools to provide the necessary assistance. This assistance should be scheduled sufficiently in advance to permit the assisting systems or pools to provide the needed generating capability. In the event of a deficiency of generation in one system or pool which is offset by prearranged power supply from another system or pool, it is possible that certain interconnecting ties will be heavily loaded. Should an outage or unexpectedly heavy load occur, these interconnecting lines may become overloaded or may even fail to hold. This possibility must be recognized when making commitments for pm- arranged power supply. If due to an unforeseen emergency any transmission facility becomes seriously overloaded and cannot be relieved by adjusting generation, or by other means, appropriate relief measures shall be applied immediately by the deficient system to bring loading to within established emergency limits. When a system disturbance occurs, a prime consideration is to maintain parallel operation throughout the interconnected system if at all possible. This will permit rendering maximum assistance to the system in trouble and may prevent cascading of trouble to other parts of the interconnection and assist in restoration of normal operation. A. Power Shortage in a System or Pool 1. If a tie with other parts of the interconnection is seriously overloaded and cannot be relieved by adjusting generation in a system or pool, relief measures shall be applied immediately by the deficient system to bring the tie loading to within the established emergency limits. 2. The deficient system or pool shall be prepared to take action as in (1) above if requested to relieve serious overloads on a remote tie which is caused by the continuing deficiency. 3. In a large interconnected system, the possibility of critically low frequency in an emergency is remote. However, if a group of systems or pools becomes separated from the interconnected system, the possibility of critically low frequency does exist. If a power shortage in a system or pool is causing low frequency of a magnitude to impair or jeopardize the operation of other systems or pools, relief measures shall be applied by the deficient system to restore frequency to permit resynchronizing at any point of separation. B. Power Shortage in an Adjacent or Remote System or Pool 1. Automatic tie-line bias frequency control should remain operative as long as practicable. 2. If automatic tie-line bias frequency control has become inoperative due to low frequency, manual control shall not be used to increase generation beyond the point necessary to restore automatic control unless mutual agreement is obtained with adjacent systems or pools. 3. If an overload persists on a tie toward a neighboring system or pool: a. The affected system or pool shall notify the neighboring system or pool of the magnitude of the overload and request immediate relief. b. If intolerable overload continues and equipment is endangered, the affected System or pool may open the overloaded ties. Operating Guide No. 9 It is recommended that in such emergencies the following action shall be taken.

245 FPC Advisory Panel - Northeast Power Interruption Recommendations for Actions To Be Taken by Affected Companies To Avoid Recurrence of Major Power Failures I. Interim Measures 1. Immediately review standing instructions to operating personnel of each system supplying very large metropolitan areas relative to separation of the system from the interconnected network if system frequency drops to a predetermined value which indicates danger of loss of power supply due to trouble external to the system. Consider also the installation of automatic devices which may be available for tripping major transmission ties, noncritical load and generation, if necessary, to maintain adequate power supply to critical load Immediately undertake coordinated studies to review the adequacy of system and intersystem design and operating practices under unusually severe system disturbances comparable to the incident recently experienced. 3. Review means for assuring communications at all times between major system control centers. 4. Assess the adequacy of practices regarding the assignment of spinning reserve capacity on each system and the coordination of spinning reserve capacity among systems. 5. Investigate the feasibility of interruption of substantial blocks of non-critical load to provide effective emergency capacity when necessary. 6. Review present practices of scheduling power between systems and power pools so as to assure essential protection to critical load areas. 7. Review present relay applications. 8. Review standing procedures for restoring ties between systems so as to obtain maximum assistance for various contingencies. 9. Reexamine methods and facilities to obtain power supply for the rapid start-up of power plants shut-down by an emergency. 10. Determine steps which may be taken to prevent damage to generating units as they undergo emergency shut-down and to improve the start-up time of such units. 11. Reexamine the size of network segments and the adequacy of equipment, procedures and automatic devices to assure rapid restoration of underground urban network loads. II. Permanent Measures 1. Accelerate construction of those facilities (transmission, generation, control and communication) now planned which will contribute significantly to reliability of service. 2. Reexamine the need for additional transmission, interconnection and related facilities which would enhance reliability of service within and among the affected systems and between the affected systems and outside utilities. Approved by the Advisory Panel: C. P. ALMON, Jr. CHARLES CONCORDIA. E. B. CRUTCHPIELD. JOSEPH K. DILLARD. MORGAN DUBROW. W. S. KLEINBACH. L. F. LISCHER. G. H. MCDANIEL. T. J. NAGEL. G. O. WESSENAUER. NOVEMBER 16, 196

246

247 North American Power Systems Interconnection Committee OPERATING GUIDE NO. 9 Action in Emergency Approved: Fourth NAPSIC Meeting, Niagara Falls, Ontario, July 21, 1964 In a large interconnected system consisting of several pools and many systems, a temporary shortage of generating capacity in one system or even in an entire interconnected area is an everpresent op- crating possibility. Should such an emergency develop that is or may become of sufficient magnitude to affect operation throughout a significant portion of the interconnected system, a uniform understanding and approach is essential. Since it is a basic principle that each control area shall plan to provide sufficient generating capacity to carry its expected load at 60 cps with provision for adequate ready reserve and regulating margin, if the internal resources are temporarily inadequate, arrangements should be made in advance with neighboring interconnected systems or pools to provide the necessary assistance. This assistance should be scheduled sufficiently in advance to permit the assisting systems or pools to provide the needed generating capability. In the event of a deficiency of generation in one system or pool which is offset by prearranged power supply from another system or pool, it is possible that certain interconnecting ties will be heavily loaded. Should an outage or unexpectedly heavy load occur, these interconnecting lines may become overloaded or may even fail to hold. This possibility must be recognized when making commitments for pm- arranged power supply. If due to an unforeseen emergency any transmission facility becomes seriously overloaded and cannot be relieved by adjusting generation, or by other means, appropriate relief measures shall be applied immediately by the deficient system to bring loading to within established emergency limits. When a system disturbance occurs, a prime consideration is to maintain parallel operation throughout the interconnected system if at all possible. This will permit rendering maximum assistance to the system in trouble and may prevent cascading of trouble to other parts of the interconnection and assist in restoration of normal operation. A. Power Shortage in a System or Pool 1. If a tie with other parts of the interconnection is seriously overloaded and cannot be relieved by adjusting generation in a system or pool, relief measures shall be applied immediately by the deficient system to bring the tie loading to within the established emergency limits. 2. The deficient system or pool shall be prepared to take action as in (1) above if requested to relieve serious overloads on a remote tie which is caused by the continuing deficiency. 3. In a large interconnected system, the possibility of critically low frequency in an emergency is remote. However, if a group of systems or pools becomes separated from the interconnected system, the possibility of critically low frequency does exist. If a power shortage in a system or pool is causing low frequency of a magnitude to impair or jeopardize the operation of other systems or pools, relief measures shall be applied by the deficient system to restore frequency to permit resynchronizing at any point of separation. B. Power Shortage in an Adjacent or Remote System or Pool 1. Automatic tie-line bias frequency control should remain operative as long as practicable. 2. If automatic tie-line bias frequency control has become inoperative due to low frequency, manual control shall not be used to increase generation beyond the point necessary to restore automatic control unless mutual agreement is obtained with adjacent systems or pools. 3. If an overload persists on a tie toward a neighboring system or pool: a. The affected system or pool shall notify the neighboring system or pool of the magnitude of the overload and request immediate relief. b. If intolerable overload continues and equipment is endangered, the affected System or pool may open the overloaded ties. Operating Guide No. 9 It is recommended that in such emergencies the following action shall be taken.

248 Southwest Power Pool Regional Entity Fall Workshop Disposition Method Full Notice of Penalty (enforcement disposition) Spreadsheet Notice of Penalty (enforcement disposition) Find, Fix, Track and Report (enforcement disposition) Compliance Exception (non-enforcement disposition) Procedural Prerequisite Settlement or NAVAPS/NOCV Settlement or NAVAPS/NOCV None None Self-Logging Presumption for Compliance Exception Initial Registered Entity Notice Notice of Possible Violation Notice of Possible Violation Notice of Possible Violation Preliminary Notice of Compliance Exception Monetary Penalty Set by NERC Penalty Tool, Maximum $1,000,000 /Day Set by NERC Penalty Tool, Less than $100,000 aggregate No Penalty Applies No Penalty Applies Mitigation Mitigation Completion Required before filing. Certification of Completion Required. Mitigation Completion Required before filing. Certification of Completion Required. Mitigation Plan required. Mitigation Plan must be completed within one year of posting at NERC. Officer attestation required. Mitigation Plan required. Mitigation Plan must be completed within one year of posting at NERC. Risk Determinate Minimal, Moderate, Serious or Substantial Minimal, Moderate, Serious or Substantial Minimal and Moderate Minimal Only Opt Out Provision Hearing Option Hearing Option Notice required within ten business days of Notice of FFT disposition Notice required within seven days of Notice of Compliance Exception disposition Violation History Posting Closure Becomes part of Registered Entity s violation history. Can be an aggravating factor in future penalty determinations Becomes part of Registered Entity s violation history. Can be an aggravating factor in future penalty determinations Becomes part of Registered Entity s violation history. Can be an aggravating factor in future penalty determinations Limited use for violation history May be used in evaluating Registered Entity s compliance history should Registered Entity fail to remediate an issue of noncompliance processed as a Compliance Exception and such failure contributes to a subsequent serious or substantial compliance matter Individual posting at NERC and NOP at FERC Non-Public CIP Aggregate spreadsheet posting at NERC and FERC Non-Public CIP Aggregate posting at NERC. Informational filing at FERC. Non-Public CIP Aggregate posting at NERC. Informational filing at FERC. Non-Public CIP FERC Order & Notice of Completion of Enforcement Action FERC Order & Notice of Completion of Enforcement Action Deemed closed by FERC/NERC after sixty day review period has run - Notice of Completion of Enforcement Action Deemed closed by FERC/NERC sixty day review period run - automatic closure in Notice of Compliance Exception May be reopened if Commission finds that Compliance Exception treatment was provided based on Registered Entity s material misrepresentation of the facts underlying the Compliance Exception

249 New TOP Standards September 29, 2015 Fall Workshop SPP RE Staff: Greg Sorenson Jeff Rooker

250 Use of Presentation The standards are discussed as filed with FERC This presentation covers highlights from multiple NERC Reliability Standards For simplicity, some wording from the standard has been shortened, paraphrased, or omitted Due to space and time constraints, some topics, special cases, and notes have not been addressed It is important to read each standard in its entirety and review the standards after approval by FERC 2

251 Overview Regulatory Status Relevant Definitions IRO Standards TOP Operational Reliability Data TOP Operations Planning TOP Transmission Operations 3

252 Regulatory Status 3/18/2015 NERC files TOP and IRO standards 6/18/2015 FERC issues Notice of Proposed Rulemaking 8/4/2015 NERC files comments in response to FERC NOPR 4Q 2015?? FERC approves January 1, 2017?? new standards go into effect 12 months after regulatory approval 4

253 Acronyms Transmission Operator (TOP) Balancing Authority (BA) Generator Operator (GOP) Distribution Provider (DP) Load Serving Entity (LSE) Generator Owner (GO) Transmission Owner (TO) 5

254 Definitions Glossary of Terms Operational Planning Analysis (new) An evaluation of projected system conditions to assess anticipated (pre-contingency) and potential (post- Contingency) conditions for next-day operations. The evaluation shall reflect applicable inputs including, but not limited to, load forecasts, generation output levels, Interchange, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Facility Ratings, and identified phase angle and equipment limitations (Operational Planning Analysis may be provided through internal systems or through third-party services.) 6

255 Definitions Glossary of Terms Operational Planning Analysis (old) An analysis of the expected system conditions for the next day s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.) 7

256 Definitions Glossary of Terms Real-time Assessment (new term) An evaluation of system conditions using Real-time data to assess existing (pre-contingency) and potential (post-contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase-angle and equipment limitations. (Real-time Assessment may be performed through internal systems or through third-party services.) 8

257 IRO Standards Reliability Coordination IRO R2, R3 TOP, BA, GOP, DP Still need to follow RC directives or provide reasons why cannot IRO Only applies to RC IRO Only applies to RC IRO R3 RC, BA, GO, GOP, TOP, TO, DP, LSE You must provide data needed for RC s Operational Planning Analysis, Real-time monitoring, Real-time Assessments as specified by the RC (SPP Criteria Appendix 7, MISO Business Practice 10) 9

258 IRO Standards Reliability Coordination IRO Applies to the RC only IRO Outage Coordination (New Standard) R1- RC specifies roles and responsibilities, communication of outage schedules, coordination of responsibilities between TOPs and BAs RC specifies outage submission timing requirements RC specifies process to evaluate the impact of outages RC defines process for resolving conflicts MISO and SPP both have defined processes may be updated as a result of the standard 10

259 IRO Standards Reliability Coordination R2 Each TOP and BA shall perform the functions specified in its RC s outage coordination process Caution on outage submission timing now monitored by the Regional Entity, not just peer pressure R3 Each PC and TP shall provide its Planning Assessment to impacted RCs. No as requested 11

260 IRO Standards Reliability Coordination R4 Each PC and TP shall jointly develop solutions with its respective RC for identified issues or conflicts with planned outages in its Planning Assessment for the Near-Term Transmission Planning horizon. Planning Assessment documented evaluation of future Transmission System performance (see TPL-001-4) Near Term (years 1-5) 6 month outages 12

261 TOP Operational Reliability Data R1 Each TOP shall maintain a documented specification for the data necessary for it to perform its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments 1.1 needed data and info including non-bes data and external network data 1.2 provisions for notification of current Protection System status or degradation 1.3/1.4 periodicity and deadline R2- same for BA 13

262 TOP Operational Reliability Data R3 [R4]. Each TOP [BA] shall distribute its data specification to entities that have data required by the TOP s [BA s] Operational Planning Analyses, Real-time monitoring, and Real-time Assessment. R5. Each TOP, BA, GO, GOP, LSE, TO and DP receiving a data specification in R3, R4 shall satisfy the obligations of the documented specifications.. 14

263 System Operating Limits The value (such as MW, Mvar, A, f, and V) that satisfies the most limiting of the prescribed operating criteria for a specified system configuration within acceptable reliability criteria. SOLs are based upon certain operating criteria. These include, but are not limited to: Facility Ratings (applicable pre-and post-contingency equipment or facility ratings) Transient Stability Ratings (pre- and post- Contingency) Voltage Stability Ratings (pre- and post- Contingency) System Voltage Limits(pre- and post- Contingency) See also NERC SOL White Paper 15

264 System Operating Limits 16

265 TOP Operations Planning R1. Each TOP shall have an Operational Planning Analysis that will allow it to assess whether its planned operations for the next day within its TOP area will exceed any of its System Operating Limits (SOLs). R2. Each TOP shall have an Operating Plan(s) for next-day operations to address potential SOL exceedances identified as a result of its Operational Planning Analysis as required in R1. More than just identifying a possible overload Operators should understand how markets and TLRs control flow if this is the mitigation 17

266 TOP Operations Planning R3. Each TOP shall notify entities identified in the Operating Plan of their role R4 and R5 similar planning for BAs R6[R7]. Each TOP [BA] shall provide its Operating Plan for next day operations to its RC. Audit hint: SPP RE will check to make sure you notified appropriate parties in the plans and the RC prior to the operating day 18

267 TOP Transmission Operations R1 [R2]. Each TOP [BA] shall act to maintain the reliability of its TOP [BA] Area via its own actions or by issuing Operating Instructions. R3 [R5]. Each BA [TOP], GOP, and DP shall comply with each Operating Instruction issued by its TOP [BA], unless such action cannot be physically implemented or it would violate safety, equipment, regulatory, or statutory requirements. R4 [R6]. Inform of inability R7. TOP Emergency assistance 19

268 TOP Transmission Operations R8. Each TOP shall inform its RC, known impacted BAs, and known impacted TOPs, of its actual or expected operations that result in, or could result in, an Emergency. R9. Each BA and TOP shall notify its RC and known impacted interconnected entities of all planned outages, and unplanned outages of 30 minutes or more, for telemetering and control equipment, monitoring and assessment capabilities, and associated communication channels between affected entities. 20

269 TOP Transmission Operations R10. Each TOP shall perform the following as necessary for determining SOL exceedances within its TOP area: 10.1 within, monitor Facilities and SPS status 10.2 outside, obtain status, voltage, and flow and SPS status Only facilities that affect you are needed You need to be able to justify what was not included R11. BA monitor its area/sps to maintain gen/load R12. Don t operate outside the IROL for long 21

270 TOP Transmission Operations R13. Each TOP shall ensure a Real-Time Assessment is performed at least once every 30 minutes. Computer logs Checklists Third party (such as RTO) OK R14. Each TOP shall initiate its Operating Plan to mitigate a SOL exceedance identified as part of its Real-time monitoring or Real Time Assessment. R15. Each TOP shall inform the RC of action taken to return system to within limits. 22

271 TOP Transmission Operations R16[R17]. Each TOP [BA] shall provide its System Operators with the authority to approve planned outages and maintenance of its telemetering and control equipment, monitoring and assessment capabilities, and associated communication channels between affected entities. EMS, SCADA maintenance, RTU maintenance, server failover, ICCP links, etc. For RTO markets, does the BA operator approve plant telemetering maintenance that affects AGC? 23

272 TOP Transmission Operations R18. Each TOP shall operate to most limiting in instances where there is a difference in SOLs. R19 [R20]. Each TOP [BA] shall have data exchange capabilities with the entities that it has identified that it needs data from in order to maintain reliability within the TOP [BA] area. 24

273 TOP Transmission Operations Evidence Voice recordings, s Computer logs, alarming System specifications System alarming RTCA failure alarms Operators logs to document actions taken 25

274 Questions Please feel free to ask Greg Sorenson Senior Compliance Engineer Jeff Rooker Lead Compliance Engineer

275 Compliance Monitoring and Enforcement Program (CMEP) 101 September 29, 2015 Mike Hughes Lead Compliance Engineer

276 2

277 TOPICS HOW WE GOT HERE REGULATORY RELATIONSHIPS KEY GUIDANCE DOCUMENTS NERC STANDARDS NERC STANDARDS REVISION PROCESS OVERVIEW OF SPP RE OVERVIEW OF ENFORCEMENT OUTREACH 3

278 HOW WE GOT HERE 4

279 Road to Mandatory Compliance 1930s-2007: Compliance is voluntary 2003 Blackout 1965 Blackout 1968 NERC formed with SPP as founding member 2005 Energy Policy Act creates Electric Reliability Organization (ERO) to develop/enforce compliance 2006 NERC becomes ERO 2007 NERC delegates authority to 8 Regional Entities (RE) SPP members choose to become a Regional Entity Standards become mandatory 5

280 Reliability History: Key Dates 1968: National Electric Reliability Council (NERC) established by the electric industry in response to 1965 Northeast blackout 2002: NERC operating policy and planning standards became mandatory and enforceable in Ontario, Canada 2003: Blackout report recommends mandatory reliability standards 2005: U.S. Energy Policy Act of 2005 creates the Electric Reliability Organization (ERO) 2006: Federal Energy Regulatory Commission (FERC) certified NERC as the ERO; Memorandum of Understanding (MOUs) with some Canadian Provinces 2007: North American Electric Reliability Council became the North American Electric Reliability Corporation (NERC); FERC issued Order 693 approving 83 of 107 proposed reliability standards; became mandatory and enforceable

281 REGULATORY RELATIONSHIPS 7

282 Regulatory Relationships FERC Oversees NERC via 2005 Energy Policy Act Approves NERC standards and NERC-approved violation dispositions NERC Delegates enforcement authority to Regional Entities via FERCapproved agreements Approves violation dispositions from Regional Entities Develops standards with industry input Regional Entities Monitors Registered Entities, with authority to find violations and levy financial penalties/sanctions for non-compliance May participate in standards development process Registered Entities Responsible for compliance with NERC standards May participate in standards development process 8

283 Role of Regional Entities in the ERO Delegation agreement defines relationship Based on NERC Rules of Procedure NERC approves regional budgets NERC audits regional compliance programs

284 10

285 KEY DOCUMENTS 11

286 Foundational Guiding Documents Energy Policy Act of 2005 Section 215 Rules of Procedure (ROP) Section 400 Provides for NERC oversight of Regional Entities (REs) Compliance program attributes (audit cycles, independence, confidentiality) ROP Appendix 4C, Compliance Monitoring and Enforcement Program 12

287 Hierarchy of Governing Documents Federal regulations FERC Orders and Directives NERC Rules of Procedure NERC directives (such as bulletins) Professional standards (such as Generally Accepted Government Auditing Standards) Tools, practices and procedures (including RSAWs, NERC templates, and recommended best practices) 13

288 Rules of Procedure Rules of Procedure address: Standards development process Compliance Monitoring and Enforcement Program (CMEP) Business plans and budgets Regional entity oversight Training and education NERC Rules-of-Procedure 14

289 CMEP Implementation Plan Implementation Plan (IP) is annual operating plan for NERC and REs in performance of their responsibilities and duties in CMEP implementation Annual NERC IP specifies NERC Reliability Standards and Requirements to be actively monitored and audited by REs during implementation year Regional IPs: Identify additional standards/requirements that REs initially plan to actively monitor Describe how they will monitor Provide the RE s annual audit plan Identifies key CMEP-related activities describes other CMEP-related processes used for implementation 15

290 Importance NERC RISK ELEMENTS GUIDE for the 2015 CMEP IP 2015 ERO CMEP IP on NERC Resource Page efault.aspx 16

291 NERC STANDARDS 17

292 NERC STANDARDS 18

293 NERC STANDARDS PROCESS 19

294 NERC Standards Process RE TOW RTO Board of Trustees Regulators Gov t SEU LSE TDU LEU Mkt Gen Standards Committee Drafting Teams Stakeholders Ballot Body Standards Staff Ballot Pools 20

295 Authorize Posting SAR Appoint DT Draft Standard Collect Informal Feedback Revise Submit Standard for QR Revise Post for Comment Consider/ Respond/Revise Submit Standard for QR Revise Post for Comment/ Ballot Consider/ Respond/Revise Implement Regulatory Agencies Approve Board Adopts Post for Recirculation Ballot 21

296 OVERVIEW OF SPP RE 22

297 SPP RE is an independent and separate division of SPP, Inc. that assesses regional reliability and monitors and enforces our region s compliance with reliability standards. 23

298 SPP RE is independent, but part of SPP, Inc. Intranet SPP, Inc. Staff meetings Policies & Procedures SPP RE Confidential compliance information Org groups Reports to Board of Directors Reports to RE Trustees Separate budget/funding mechanism 24

299 What We Do: Register/certify BES users, owners, operators ~115 entities registered with SPP RE 25

300 What We Do: Assess compliance All Bulk Electric System users, owners, operators must register with an RE for oversight ~ 107 standards with ~ 1,100 requirements We monitor compliance through 7 methods Self- Reports Audits Self- Certifications Spot Checks Data Submittals Complaints Investigations 26

301 What We Do: Publish annual reliability assessments MW Value Total Internal Demand

302 What We Do: Analyze system events & develop lessons learned 28

303 Most Violated Standards Based on rolling 12 months through 8/31/15 [Represents ~ 93% of total violations] SPP RE Rank NERC 12 Month Rank * Standard * NERC as of June 30, 2014 ** Not in NERC Rolling 12 month Top Ten Description Number of Violations Risk Factor 1 7 CIP-002 Critical Cyber Asset Identification 23 High/Lower 2 1 CIP-007 Systems Security Management 20 Med./Lower 3 3 CIP-005 Electronic Security Perimeters 13 Med./Lower 4 2 CIP-006 Physical Security - Critical Cyber Assets 12 Med./Lower 5 4 CIP-004 Personnel & Training 5 Med./Lower 6 8 VAR-002 Network Voltage Schedules 5 Med./Lower 7 6 CIP-003 Security Management Controls 4 Med./Lower 8 5 PRC-005 Protection System Maintenance 4 High/Lower 9 9 CIP-009 Recovery Plan for Critical Cyber Assets 3 Med./Lower FAC-008 Facility Ratings (includes FAC-009) 2 Med./Lower 29

304 2014 SPP RE Year in Review Achieved 122% of 2014 staff goals and metrics Numbers at a Glance Audit reports issued Audits performed Events processed 30 FFTs processed 62 Mitigation Plans reviewed 101 Newsletters published Registration changes Reliability Assessments published TFE actions 271 Videos produced 8 Violations processed 188 Violations received Workshop & webinar attendees

305 ENFORCEMENT 31

306 Enforcement Overview Violation Initiation from one of 7 discovery methods Mitigation can begin at any time and runs in parallel with violation processing SPP RE issues Notice of Preliminary Screen SPP RE begins violation processing SPP RE issues Notice of Possible Violation (NPV) SPP RE then completes violation processing through one of four methods. 32

307 Enforcement Overview Processing methods are: Find, Fix, Track (FFT) Compliance Exception Dismissal Settlement Notice of Confirmed Violation (NOCV) FERC will issue orders of no further review for settlements and NOCV 33

308 Find, Fix and Track FFT enforcement track characteristics Minimal and moderate risk noncompliance only Penalty not imposed Part of compliance history Registered entity can opt out PV becomes issue of non-compliance 34

309 Compliance Exception Minimal risk noncompliance only Penalty not imposed Becomes part of entity s compliance history only to the extent that it serves to inform the ERO Enterprise of potential risk Not part of entity s violation history for purposes of aggravation of penalties Will be submitted to NERC/FERC; disposition of public posting is determined per NERC policy 35

310 Self-Logging of Minimal Risk Issues The NERC Guidance document for self-logging, ERO Enterprise Self-Logging Program, was issued May 20, 2015 Allows Registered Entities that have demonstrated effective management practices to keep track of minimal risk noncompliance (and mitigation) on a log that is periodically submitted to SPP RE To request participation in self-logging, please spprecompliance@spp.org 36

311 OUTREACH 37

312 SPP RE Outreach Program SPP.org webpages Online videos Monthly newsletter 3 annual workshops Lessons Learned 38

313 Questions Please feel free to ask Mike Hughes Lead Compliance Engineer

314 CIP V5 Evidence and Expectations September 29, 2015 Sushil Subedi and Steven Keller SPP RE Staff

315 Evidence Request Workbooks* Excel file will be provided as a guideline to provide evidence for every requirement Evidence request for each requirement will have a separate tab Within each tab, requirement parts are broken down 2

316 Example of evidence request 3

317 Quality Evidence Evidence that is appropriate, sufficient and adequate Appropriate: relevant, valid, and reliable in providing support for findings and conclusions Sufficient: enough to lead a prudent person to the same conclusions that you have reached Adequate: evidence that is of high enough quality to be used for analysis and proof 4

318 Appropriate Quality Evidence Relevant- logically related to the issue Valid- extent to which evidence is based on sound reasoning or accurate information Reliable- consistency of results when information is measured or tested 5

319 Sufficient Quality Evidence Having a large volume of evidence does not compensate for the lack of relevance, validity, or reliability In some cases, one quality piece of evidence may be sufficient for the requirement Sufficiency of evidence relies on the relevance of the requirement 6

320 Adequate Quality Evidence Evidence is of high enough quality to be used for analysis and proof An example of adequate evidence would be: Document title, definition Revision level, date Effective date Authorizing signatures 7

321 CIP , Requirement R1 8

322 CIP , R1 Evidence Approved list of High and Medium Impact BES Cyber Systems Approved list of assets containing Low Impact BES Cyber Systems Evidence that the BES Cyber System(s) list is reviewed at least once every 15 calendar months Evidence that the BES Cyber System(s) list is updated as necessary 9

323 CIP Requirement R2 10

324 CIP , R2 Evidence Evidence of reviewing the identifications in Requirement R1 and its parts at least once every 15 calendar months Evidence that the Senior Manager or delegate has approved the identifications required by Requirement R1 at least once every 15 calendar months. Supporting evidence- Approval of CIP Senior Manager and, if applicable, the delegation. Evidence of electronic or physical dated records to demonstrate that the Responsible Entity has reviewed and updated identifications required in Requirement R1 11

325 CIP-005-5, R1 Part 1.1-All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. Evidence: List of all ESPs with all uniquely identifiable applicable Cyber Assets connected via a routable protocol within each ESP Part 1.2- All External Routable Connectivity must be through an identified Electronic Access Point (EAP). Evidence: Network diagrams showing all external routable communication paths and the identified EAPs 12

326 CIP-005-5, R1 Part 1.3- Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. Evidence: List of rules (firewall, access control lists, etc.) that demonstrate that only permitted access is allowed and that each access rule has a documented reason Part 1.4- Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. Evidence: Documented process that describes how the Responsible Entity is providing authenticated access through each dial-up connection 13

327 CIP-005-5, R1 Part 1.5- Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. Evidence: Documentation that malicious communications detection methods (e.g. intrusion detection system, application layer firewall, etc.) are implemented 14

328 CIP-005-5, R2 Part 2.1- Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. Evidence: Network diagrams or architecture documents Part 2.2- For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. Evidence: Architecture documents detailing where encryption initiates and terminates 15

329 CIP-005-5, R2 Part 2.3- Require multi-factor authentication for all Interactive Remote Access sessions. Evidence: architecture documents detailing the authentication factors used. (e.g. Something the individual knows, something the individual has, something the individual is) 16

330 CIP R1 Part 1.1- Define operational or procedural controls to restrict physical access. Evidence: documentation that operational or procedural controls exist. Part 1.2- Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access. Evidence: language in the physical security plan that describes each Physical Security Perimeter and how unescorted physical access is controlled by one or more different methods and proof that unescorted physical access is restricted to only authorized individuals, such as a list of authorized individuals accompanied by access logs. 17

331 CIP-006-5, R1 Part 1.3- Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access. Evidence: language in the physical security plan that describes the Physical Security Perimeters and how unescorted physical access is controlled by two or more different methods and proof that unescorted physical access is restricted to only authorized individuals, such as a list of authorized individuals accompanied by access logs. 18

332 CIP-006-5, R1 Part 1.4- Monitor for unauthorized access through a physical access point into a Physical Security Perimeter. Evidence: An example of evidence may include, but is not limited to, documentation of controls that monitor for unauthorized access through a physical access point into a Physical Security Perimeter. 19

333 CIP-006-5, R1 Part 1.5- Issue an alarm or alert in response to detected unauthorized access through a physical access point into a Physical Security Perimeter to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection. Evidence: language in the physical security plan that describes the issuance of an alarm or alert in response to unauthorized access through a physical access control into a Physical Security Perimeter and additional evidence that the alarm or alert was issued and communicated as identified in the BES Cyber Security Incident Response Plan, such as manual or electronic alarm or alert logs, cell phone or pager logs, or other evidence that documents that the alarm or alert was generated and communicated. 20

334 CIP-006-5, R1 Part 1.6- Monitor each Physical Access Control System for unauthorized physical access to a Physical Access Control System. Evidence: documentation of controls that monitor for unauthorized physical access to a PACS. 21

335 CIP-006-5, R1 Part 1.7- Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control System to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of the detection. Evidence: language in the physical security plan that describes the issuance of an alarm or alert in response to unauthorized physical access to Physical Access Control Systems and additional evidence that the alarm or alerts was issued and communicated as identified in the BES Cyber Security Incident Response Plan, such as alarm or alert logs, cell phone or pager logs, or other evidence that the alarm or alert was generated and communicated. 22

336 CIP-006-5, R1 Part 1.8- Log (through automated means or by personnel who control entry) entry of each individual with authorized unescorted physical access into each Physical Security Perimeter, with information to identify the individual and date and time of entry. Evidence: language in the physical security plan that describes logging and recording of physical entry into each Physical Security Perimeter and additional evidence to demonstrate that this logging has been implemented, such as logs of physical access into Physical Security Perimeters that show the individual and the date and time of entry into Physical Security Perimeter. 23

337 CIP-006-5, R1 Part 1.9- Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Security Perimeter for at least ninety calendar days. Evidence: dated documentation such as logs of physical access into Physical Security Perimeters that show the date and time of entry into Physical Security Perimeter. 24

338 CIP-006-5, R2 Part 2.1- Require continuous escorted access of visitors (individuals who are provided access but are not authorized for unescorted physical access) within each Physical Security Perimeter, except during CIP Exceptional Circumstances. Evidence: language in a visitor control program that requires continuous escorted access of visitors within Physical Security Perimeters and additional evidence to demonstrate that the process was implemented, such as visitor logs. 25

339 CIP-006-5, R2 Part 2.2- Require manual or automated logging of visitor entry into and exit from the Physical Security Perimeter that includes date and time of the initial entry and last exit, the visitor s name, and the name of an individual point of contact responsible for the visitor, except during CIP Exceptional Circumstances. Evidence: language in a visitor control program that requires continuous escorted access of visitors within Physical Security Perimeters and additional evidence to demonstrate that the process was implemented, such as dated visitor logs that include the required information. 26

340 CIP-006-5, R2 Part 2.1- Retain visitor logs for at least ninety calendar days. Evidence: documentation showing logs have been retained for at least ninety calendar days. 27

341 CIP-007-5, R1 Part 1.1- Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed. Evidence: Documentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group. Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports; or Configuration files of host-based firewalls or other device level mechanisms that only allow needed ports and deny all others. 28

342 CIP-007-5, R1 Part 1.1- Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media. Evidence: documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage. 29

343 CIP-007-5, R2 Part 2.1- A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. Evidence: documentation of a patch management process and documentation or lists of sources that are monitored, whether on an individual BES Cyber System or Cyber Asset basis. 30

344 CIP-007-5, R2 Part 2.1- At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. Evidence: an evaluation conducted by, referenced by, or on behalf of a Responsible Entity of security-related patches released by the documented sources at least once every 35 calendar days. 31

345 CIP-007-5, R2 Part 2.3- For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions: Apply the applicable patches; or Create a dated mitigation plan; or Revise an existing mitigation plan. Mitigation plans shall include the Responsible Entity s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations. 32

346 CIP-007-5, R2 Part 2.3 Evidence: Records of the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber System Component software revision, or registry exports that show software has been installed); or A dated plan showing when and how the vulnerability will be addressed, to include documentation of the actions to be taken by the Responsible Entity to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations. 33

347 CIP-007-5, R2 Part 2.4- For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. Evidence: records of implementation of mitigations. 34

348 CIP-007-5, R5 Part 5.1- Have a method(s) to enforce authentication of interactive user access, where technically feasible. Evidence: documentation describing how access is authenticated. Part 5.2- Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s). Evidence: listing of accounts by account types showing the enabled or generic account types in use for the BES Cyber System 35

349 CIP-007-5, R5 Part 5.3- Identify individuals who have authorized access to shared accounts. Evidence: listing of shared accounts and the individuals who have authorized access to each shared account. Part 5.4- Change known default passwords, per Cyber Asset capability Evidence: Records of a procedure that passwords are changed when new devices are in production; or Documentation in system manuals or other vendor documents showing default vendor passwords were generated pseudo-randomly and are thereby unique to the device. 36

350 CIP-007-5, R5 Part 5.5- For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset. 37

351 CIP-007-5, R5 Part 5.5 Evidence: System-generated reports or screenshots of the system-enforced password parameters, including length and complexity 38

352 CIP-007-5, R5 Part 5.6- Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. Evidence: System-generated reports or screen-shots of the system-enforced periodicity of changing passwords; 39

353 CIP-007-5, R5 Part 5.7- Where technically feasible, either: Limit the number of unsuccessful authentication attempts; or Generate alerts after a threshold of unsuccessful authentication attempts. Evidence: Documentation of the account lockout parameters; or Rules in the alerting configuration showing how the system notified individuals after a determined number of unsuccessful login attempts. 40

354 Further Reference You may also want to watch CIP V5 Preparing for Audit video Other V5 videos are posted to our video training library 41

355 Questions/Comments Steven Keller (501) Sushil Subedi (501)

356 Breakout Session SPP RE Inherent Risk Assessment and Internal Controls Evaluation September 29, 2015 James Williams Lead Compliance Specialist Steven Keller Lead Compliance Specialist

357 Objectives Describe the SPP RE IRA process Describe the SPP RE ICE process Describe the tools used for IRA and ICE Explain the use of the IRA and ICE results 2

358 Inherent Risk Assessment (IRA) Process Why is SPP RE doing an Inherent Risk Assessment? To develop the Registered Entity s compliance oversight plan Identify the level of risk to the BPS Monitoring scope Monitoring method Monitoring frequency To understand the Registered Entity so we can assess the risks 3

359 Process Steps 4

360 Information Gathering SPP RE s IRA Questionnaire SPP RE s Asset Spreadsheet Internal information Previous audit reports Self-certifications Reliability Coordinator Questionnaire Compliance history 5

361 Inherent Risk Assessment Compliance Oversight Plan Monitoring method, frequency and scope Registration Registered functions, identify the entity s RC, BA, TOP JRO/CFRs What function, requirements and responsible entity Compliance History Previous violations, discovery method, mitigated Technical Assessment Risk factors, transmission and generation CIP Data SCADA, workstations Technical Feasibility Exceptions Requirements, current status, devices Internal Control Evaluation Performed - Std/Req, date, control implementation Monitoring Scope Attachment 1 Reference Documents Risk Assessment Questionnaire, previous audit reports, self-certifications Event Review summary of event Enforcement Mitigation Assessment Mitigation milestones Registered Entity Assessment Revision History 6

362 Inherent Risk Assessment Compliance Oversight Plan The entity assessment of Acme Power Company was performed to identify the monitoring and scope of the compliance engagement for The assessment of the attributes identified the levels of risk for the entity to the BES and the Regional Entity s footprint. SPP RE determined that an on-site audit of Acme Power Company will be conducted on May 9 12, 2016 in accordance with NERC Rules of Procedure, The engagement scope is based on the Risk Elements from the NERC 2015 Implementation Plan and the 2015 SPP RE Audit Scope Document applicable to the entity s registered functions. SPP RE evaluated 35 risk attributes from the ERO Enterprise Inherent Risk Assessment Guide. The results were nine (9) high risk, eleven (11) moderate risk, twelve (12) low risks, and three (3) not applicable. The monitoring scope includes 30 standards with 70 requirements, see Attachment 1. Monitoring Method Date Frequency of IRA Next Monitoring O&P/CIP Audit May 9, 2016 Audit 3 year cycle May

363 Registration 8

364 9

365 10

366 11

367 Inherent Risk Assessment Technical Assessment 12

368 Inherent Risk Assessment 13

369 CIP Data 14

370 15

371 16

372 17

373 18

374 Results IRA will be presented by the IRA Team Lead to the SPP RE IRA Review Team for evaluation of the results Upon completion of the review, the IRA Team Lead will present to SPP RE management for approval The results will determine the Compliance Oversight Plan: Risk areas Monitoring method Scope of the engagement Frequency of the monitoring 19

375 Summary of the Assessment Registered Entity will be presented with an IRA Results Summary Report to allow for clarity and transparency in the assessment process SPP RE will ask the Registered Entity if they would like an Internal Control Evaluation (ICE) performed for any of the requirements in their monitoring scope At this point, the ICE process will begin 20

376 Internal Control Evaluation Process How does a Registered Entity request an ICE? With the IRA Assessment Letter you will receive an Internal Control Evaluation Workbook What is in the Workbook? List of the Standards/Requirements that are in scope The Registered Entity will identify the Standard/Requirement for which they want an ICE performed SPP RE will review the list of controls the Registered Entity has selected and prioritize by risk and available SPP RE resources 21

377 Self Logging What is Self Logging A method of self reporting low impacting noncompliance issues Reporting done quarterly Requesting self logging privileges Notify Enforcement Review of your Compliance program Entity Assessment for Self-Logging Review the Registered Entities internal compliance program 22

378 Evaluation of Design If the Registered Entity requests an evaluation, SPP RE will request documentation of the internal controls design Entity vs. Activity level controls Entity-Level Controls: controls which are pervasive across an organization and include culture, values and ethics, governance, transparency and accountability Activity-Level Controls: controls specific to a process or a function; may be manual or automated SPP RE will review the design of the internal controls and determine their sufficiency SPP RE will develop a Test Plan of the internal controls 23

379 Design Examples Preventative Controls Documented process Training Change management Log review roles and responsibilities Detective Controls Periodic verification Periodically test monitoring 24

380 Evaluation of Effectiveness Testing is based on the facts and circumstances of the internal control program Testing may include documentation such as logs, videos, software files, process checklists, etc. The criteria in the ERO Enterprise Internal Control Evaluation Guide will be used to determine the effectiveness of the implementation of the internal controls 25

381 Level of Implementation Fully Implemented Sufficient evidence and/or affirmations are present and judged to be adequate to demonstrate process and implementation. No weakness noted. Largely Implemented - Sufficient evidence and/or affirmations are present and judged to be adequate to demonstrate process and implementation. One or more weaknesses noted. Partially Implemented Data indicates the process and internal controls are implemented and some data indicate the practice is not implemented. 26

382 Level of Implementation Not Implemented Some or all data are absent or judged to be inadequate; data supplied does not support the conclusion that the process is implemented. One or more significant weaknesses. Missing The design of the control is not ready to be implemented. 27

383 Results After the level of implementation of controls has been determined, SPP RE will consider whether testing may be reduced during the monitoring fieldwork No fieldwork Reduced sampling 28

384 Inherent Risk Assessment and Internal Control Evaluation Timeline IRA started at approx 180 days prior to monitoring activity. IRA completed and approved at approx 165 days prior to monitoring activity and the IRA Letter is sent to the registered entity. Registered Entity will provide documentation and SPP RE will evaluate the effectiveness of the Internal Controls. Start of the monitoring activity. 180 Days 165 Days 155 Days 130 Days 90 Days 0 Days Days 10 Days 25 Days Days 90 Days Upon receiving the IRA Letter, the Registered Entity will have 10 days to request an ICE. The Registered Entity will provide documentation and SPP RE will evaluate the design of the Internal Control. SPP RE will send the Registered Entity the monitoring activity notification at 90 days as stated in the RoP.

385 James Williams Steven Keller Lead Compliance Specialist Lead Compliance Specialist

386 FAC-008 and PRC-005 Guidance September 29, 2015 Fall Workshop SPP RE Staff: Jeff Rooker Jim Williams

387 Outline FAC R1, R2, and R6 guidance FAC General Guidance PRC-005 General Guidance PRC-005 Transition/Implementation Plan PRC-005 R5 Guidance 2

388 FAC R1 Guidance R1. Each Generator Owner shall have documentation for determining the Facility Ratings of its solely and jointly owned generator Facility(ies) up to the low side terminals of the main step up transformer if the Generator Owner does not own the main step up transformer and the high side terminals of the main step up transformer if the Generator Owner owns the main step up transformer. 3

389 FAC R1 Guidance 1.1. The documentation shall contain assumptions used to rate the generator and at least one of the following: Design or construction information such as design criteria, ratings provided by equipment manufacturers, equipment drawings and/or specifications, engineering analyses, method(s) consistent with industry standards (e.g. ANSI and IEEE), or an established engineering practice that has been verified by testing or engineering analysis. Operational information such as commissioning test results, performance testing or historical performance records, any of which may be supplemented by engineering analyses. 4

390 FAC R1 Guidance 1.2. The documentation shall be consistent with the principle that the Facility Ratings do not exceed the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility. The auditor must verify the basis for the Facility Rating includes all applicable Equipment Ratings up to point of interconnection with TO- however without the Equipment Rating detail required per R2 and R3. Typically need one-line with ratings. 5

391 FAC R1 Guidance RSAW Question: Does Registered Entity solely and/or jointly own the main step up transformer? Answer to this Question is used in conjunction with R2 to define point of interconnection with TO. Where R1 ends, R2 begins. 6

392 FAC R1 Guidance Standard Drafting Team comments for Project R1 and R2 apply to Generator Owners and should be considered together. R1 relates to the generator electrical rating and any other electrical components up to the GSU to verify Facility Rating. R1 does not ask for any ratings of specific equipment within the plant (turbine, feed pump, etc.) but only the rating at the specific points in the requirement. 7

393 FAC R1 Guidance Evidence could be that your Facility Rating is based on the annual full load capability test per SPP criteria 12. The actual Facility Rating would be the result of that test. Normal and Emergency ratings are not included in R1, which provides for the Facility Rating of the generation equipment. 8

394 FAC R2 Guidance R2 only applies if a GO owns facilities beyond the location specified in R1 (which is typically the GSU). If the GO does not own facilities past the location specified in R1, then R2 does NOT apply. R3 begins the Facility Rating process for TO s. 9

395 FAC R6 Guidance R6 Each Transmission Owner and Generator Owner shall have Facility Ratings for its solely and jointly owned Facilities that are consistent with the associated Facility Ratings methodology (FRM) or documentation for determining its Facility Rating. The audit team will evaluate the associated generator facility rating spreadsheet to verify it is consistent with the FRM. (i.e. normal/emergency ratings, ambient conditions if included). 10

396 FAC General Guidance Use consistent units in determining facility ratings (MVA). SPP Criteria 12.2 Transmission circuits- ckt ratings will be specified in MVA and are taken as minimum of all of the elements in series. A transmission circuit shall consist of all load carrying elements between circuit breakers or the comparable switching devices. Ensure you have underlying evidence of ratings development (one lines with ratings shown, nameplate data, IEEE or industry standards utilized). Ensure you include ambient conditions and operating limitations per R2.2 and R

397 FAC General Guidance Ensure normal and emergency facility ratings developed match what is in EMS, used by transmission planners in studies, reported to the RC (SPP, MISO), TSP (SPP, MISO) and the Planning Coordinator (SPP, MISO). Ensure documentation on changes made to facility ratings by engineering are provided to operations. Clarify transformer ratings with cooling in FRM and rating spreadsheets. Maintain a revision history on FRM. 12

398 FAC General Guidance Verify most limiting element equipment rating of terminals with 3rd party owners, re-verify periodically. Verify all RSAW narratives explain evidence of compliance. Document basis for emergency ratings for components. If using open bus configuration for ring/breaker and a half scheme (two paths), verify Operations has normal and contingency Facility Rating in EMS in real time. These open buses ratings should be considered when switching and approving outages. 13

399 FAC General Guidance Ensure you have internal controls to: Maintain and verify changes in facility ratings. Maintain an inventory of equipment requiring ratings. Consider sampling of facilities to verify ratings consistent with FRM and consistent with ratings used in operations. Verify that as-built conditions are reviewed to ensure the design ratings are still correct. Verify RC and TOP seasonal facility ratings are the same. 14

400 FAC General Guidance Review questions to ask: Is everything in the one-line diagram in series considered in the development of the facility rating? Are the most limiting elements identified? Are they the same or different for normal and emergency ratings? 15

401 PRC-005 Guidance PRC-005-3(i) adds Automatic Reclosing Maintenance (effective 4/1/16). PRC adds Sudden Pressure Relay Maintenance (effective 10/1/16). PRC-005 is not applicable to dispersed generation resources below an aggregate of 75 MVA (same position as the dispersed generation resource white paper). The implementation plan established under PRC remains unchanged except for the addition of Automatic Reclosing and Sudden Pressure Relays. 16

402 PRC-005 Transition While in transition from version 1, be prepared to identify: All applicable Protection System components. The plan under which they were last maintained; Legacy standard or PRC (or successor standard-v3(i) or v4). Maintain documentation to demonstrate compliance with the Legacy Standards. until the entity meets the requirements of PRC in accordance with this implementation plan. 17

403 PRC-005 Implementation Each entity will maintain each of their Protection System components according to their maintenance program already in place for the legacy standards or according to the program for PRC-005 2, but not both. Once an entity has designated PRC as its maintenance program for specific Protection System components, they cannot revert to the legacy program for those components. (You get to make the call, but you can t take it back.) New components added after April 1, 2015 must be in the PRC program and the maintenance activities prescribed. 18

404 PRC-005 Implementation Phased implementation based on maximum allowable interval. The Implementation Timetable does not reset the clock for the maintenance interval. Retire Legacy Standards by April 1, Implementation Plan 19

405 Implementation Timetable 20

406 PRC-005 Implementation Example A 21

407 PRC-005 Implementation Example B 22

408 PRC-005 Implementation Must remain in compliance with version 1 until verified compliance with activities described in the tables of version 2. Examples PRC-005-1b did not previously apply, but PRC does apply to the device. UFLS-CT/PTs-(12 year interval) The entity would need to complete the first test for 30 % of the applicable devices by 4/1/19. See slide 21. PRC-005-1b previously applied, but there are new maintenance activities required under PRC The device must continue to be maintained in accordance with the PRC b program until that device is first maintained in accordance with PRC-005-2, which must occur by 4/1/17 for devices with a one to two year test interval. 23

409 PRC-005 Implementation PRC-005-1b previously applied, and previous maintenance essentially meets the requirements of PRC In this case, the entity may simply move the device to the new program PRC because the previous (PRC-005-1b) maintenance test supports the requirements of PRC Having moved the device to PRC-005-2, the entity would then continue to maintain the device according to the intervals in the new PRC program. See slide

410 PRC-005 General Guidelines Evidence Provide summary by component of previous test date, most recent test and next test date to verify intervals and under what version they were tested. Clearly identify which relays have associated communications. Clearly indicate page number or highlighting of test results by component. Relay names on test forms should match RATSTATS or provide index. 25

411 PRC-005 General Guidelines Internal Controls What are some ways to check the electronic database to ensure that it is complete? All components, all substations and generation. How do people make sure new/upgraded substations are tracked in the program? How is the work of relay technicians reviewed? Did they complete the work, mitigate any issues, as found as left? 26

412 PRC-005 R5 Definition Unresolved Maintenance Issue A deficiency identified during a maintenance activity that causes the component to not meet the intended performance, cannot be corrected during the maintenance interval, and requires follow-up action. The entity shall demonstrate efforts to correct any identified Unresolved Maintenance Issues. Measure- evidence may include but is not limited to work orders, replacement Component orders, invoices, project schedules with completed milestones, return material authorizations (RMAs) or purchase orders. 27

413 PRC-005 R5 Evidence List of Unresolved Maintenance Issues: April 1, Any UMI on this date will be reviewed back to Tracking from April 1, 2014 for UMI will be needed. List is to include: Resolved Maintenance Issues. Remaining Unresolved Maintenance Issues. 28

414 Questions Please feel free to ask Jim Williams Lead Compliance Specialist Jeff Rooker Lead Compliance Engineer

415 Fall Workshop

416 Watch SPP RE 101 videos! SPP.org > Regional Entity > Outreach 2

417 2016 Outreach Workshops March 15-16, Spring 2016 Workshop, Little Rock June 8-9, CIP 2016 Workshop, Little Rock Sept , Fall 2016 Workshop, Oklahoma City Trustee Meetings January 25, Oklahoma City April 25, Santa Fe July 25, 2016, Rapid City October 24, Little Rock 3

418 New Standards: October 1, 2015 COM Communications CIP Physical Security (NEW) PRC Automatic Underfrequency Load Shedding 4

419 New Standards: January 1, 2016 FAC Facility Interconnection Requirements FAC Facility Interconnection Studies NUC Nuclear Plant Interface Coordination New Standards: April 1, 2016 CIP Version 5 Standards PRC Protection System and Automatic Reclosing Maintenance 5

420 New Standards: July 1, 2016 COM Operating Personnel Communications Protocols MOD Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability MOD Demand and Energy Data PER Operations Personnel Training PRC Protection System Misoperation Identification and Correction 6

421 New Standards: July 1, 2016 (Cont.) PRC Coordination of Generating Unit or Plant Capabilities, Voltage Regulating Controls, and Protection PRC Generator Frequency and Voltage Protective Relay Settings BAL Real Power Balancing Control Performance 7

422 VEGETATION CONTACTS Last Reportable Last Actionable NERC (1Q-2015 Last Report) 1Q Q-2012 SPP RE (2Q-2015 Last Report) 1Q Q

423 Most Violated Standards Based on rolling 12 months through 8/31/15 [Represents ~ 93% of total violations] SPP RE Rank NERC 12 Month Rank * Standard * NERC as of June 30, 2014 ** Not in NERC Rolling 12 month Top Ten Description Number of Violations Risk Factor 1 7 CIP-002 Critical Cyber Asset Identification 23 High/Lower 2 1 CIP-007 Systems Security Management 20 Med./Lower 3 3 CIP-005 Electronic Security Perimeters 13 Med./Lower 4 2 CIP-006 Physical Security - Critical Cyber Assets 12 Med./Lower 5 4 CIP-004 Personnel & Training 5 Med./Lower 6 8 VAR-002 Network Voltage Schedules 5 Med./Lower 7 6 CIP-003 Security Management Controls 4 Med./Lower 8 5 PRC-005 Protection System Maintenance 4 High/Lower 9 9 CIP-009 Recovery Plan for Critical Cyber Assets 3 Med./Lower FAC-008 Facility Ratings (includes FAC-009) 2 Med./Lower 9

424 NERC Facility Ratings Alert Status 6 Transmission Owners have extensions Work has extended into 2016 in some cases Final count in SPP RE: 7,100 discrepancies found 100% High priority lines complete as of 7/15/15 72% Medium priority lines complete as of 7/15/15 Up from 68% on 12/31/14 85% Low priority lines complete as of 7/15/15 Up from 67% on 12/31/14 10

425 SPP RE Misoperation Report as of Q2-15

426 Causes of Misoperations Q2-13 to Q2-15

427 Misoperation Causes as a percentage Q2-14 to Q2-15

428 Operation/Misoperation Comparison