2016 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan Version 2.2

Transcription

1 2016 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan Version 2.2 December 2015 NERC Report Title Report Date I

2 Table of Contents Revision History... vii Preface... viii Introduction...1 Purpose...1 Implementation Plan...1 Significant Initiatives Impacting CMEP Activities...2 Risk-Based Registration Initiative...2 Background...2 Critical Infrastructure Protection Reliability Standards, Version Background...2 Activities...2 Physical Security NERC Reliability Standard CIP Background...3 Risk-Based Approach to Compliance Monitoring and Enforcement...4 Risk-Based Compliance Monitoring...4 Coordinated Oversight of Multi-Region Registered Entities...5 Compliance Assessments for Events and Disturbances...6 Risk-Based Enforcement...7 Compliance Exceptions...7 Self-Logging Program...7 Risk-Based Compliance Oversight Plan...8 Process for Risk Elements and Associated Areas of Focus...8 Risk Element Results Risk Elements Critical Infrastructure Protection Extreme Physical Events Maintenance and Management of BPS Assets Monitoring and Situational Awareness Protection System Failures Event Response/Recovery Human Performance Planning and System Analysis Regional Risk Assessments NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 ii

3 Table of Contents Regional Compliance Monitoring Plan ERO Enterprise CIP Version 5 and CIP-014 Monitoring Approach CIP Version Physical Security NERC Oversight of RE Compliance Monitoring Appendix A1 - Florida Reliability Coordinating Council (FRCC) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives & Activities Regional Risk Assessment Process Number and type of registered functions Geographic location, seasonal/ambient conditions, terrain and acts of nature BPS transmission lines (circuit miles, voltage levels, IROL flowgates) BPS generation facilities Blackstart Resources Interconnection points and critical paths Special Protection Schemes (SPS) System events and trends Compliance history trends Regional Risks and Associated Reliability Standards Regional Compliance Monitoring Plan Periodic Data Submittals Self-Certifications Spot Checks Compliance Audits Compliance Outreach CIP Version 5 Outreach Appendix A2 - Midwest Reliability Organization (MRO) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives & Activities Regional Risk Assessment Process Regional Compliance Monitoring Plan Compliance Outreach Appendix A3 - Northeast Power Coordinating Council (NPCC) 2016 CMEP Implementation Plan NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 iii

4 Table of Contents 1. Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives & Activities Regional Risk Assessment Process Regional Risk Elements and Areas of Focus Regional Compliance Monitoring Plan IRA Audits Spot Check Self-Certifications Compliance Outreach Appendix A4 - ReliabilityFirst Corporation (ReliabilityFirst) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP Implementation Plan Highlights and Material Changes Other Regional Key Initiatives & Activities Guided Self-Certifications Risk-based Enforcement Self-Logging Regional Risk Assessment Process The Regional Risk Assessment Regional Risk Elements and Areas of Focus Regional Compliance Monitoring Plan CIP Compliance Monitoring Plan Operations and Planning Compliance Monitoring Plan Inherent Risk Assessments Self-Certifications Spot Checks Compliance Monitoring Schedule for Data Submittals Monitoring of New or Revised Standards Compliance Outreach Appendix A5 - SERC Reliability Corporation (SERC) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives and Activities Regional Risk Assessment Process NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 iv

5 Table of Contents 3. Regional Risk Elements and Areas of Focus Regional Compliance Monitoring Plan Compliance Audits Spot Checks Self-Certifications Periodic Data Submittals Inherent Risk Assessments Compliance Outreach Appendix A6 - Southwest Power Pool Regional Entity (SPP RE) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives & Activities Regional Risk Assessment Process Regional Risk Elements and Areas of Focus Regional Compliance Monitoring Plan Compliance Outreach Appendix A7 - Texas Reliability Entity (Texas RE) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Other Regional Key Initiatives & Activities Regional Risk Assessment Process Regional Risks and Associated Reliability Standards Compliance Oversight Plan Compliance Outreach Appendix A8 - Western Electricity Coordinating Council (WECC) 2016 CMEP Implementation Plan Compliance Monitoring and Enforcement CMEP IP Highlights and Material Changes Regional Risk Assessment Process Risk Factors and IRA Regional Risk Elements and Areas of Focus Regional Compliance Monitoring Plan Periodic Data Submittals Self-Certifications Compliance Audits Compliance Outreach NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 v

6 Table of Contents Monthly Open Webinars Compliance User Group (CUG) Critical Infrastructure Protection User Group (CIPUG) Appendix B Compliance Assessment Report Compliance Assessment Process for Events and Disturbances NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 vi

7 Revision History Version Date Revision Detail Version 1.0 September 10, 2015 Initial release of the 2016 ERO Enterprise CMEP Implementation Plan Version 2.0 November 16, 2015 ERO Enterprise CMEP Implementation Plan updated to include RE Implementation Plans within the Appendix A. Significant changes include: Removed key enforcement date table due to confusion and dependency of enforcement and implementation dates being based on actions of the registered entity. Registered entities should contact their RE for details and questions on CIP implementation Expanded information on self-logging on page 7, and Added ERO Enterprise 2016 monitoring approach for CIP Version 5 and CIP-014 beginning on pages Added R3 for CIP to Table 3 Extreme Physical Events to align with ERO Enterprise 2016 monitoring approach for CIP Version 2.1 November 24, 2015 Version 2.2 December 1, 2015 Updates reflected in bold/underlined font. Removed duplicate requirements in the Regional Risk Elements and Areas of Focus section of the Appendix A5 SERC Reliability Corporation (SERC) 2016 CMEP Implementation Plan Corrected the link to the SERC 2016 Audit Schedule within the same appendix. Changed NCR01321 within SERC s 2016 Compliance Audit Plan table to O&P audit only. Removed City of Minden from the SPP RE 2016 Compliance Audit Plan. NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 vii

8 Preface The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system (BPS) in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long term reliability; monitors the BPS through system awareness; and educates, trains, and certifies industry personnel. NERC s area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC s jurisdiction includes users, owners, and operators of the BPS, which serves more than 334 million people. The North American BPS is divided into several assessment areas within the eight Regional Entity (RE) boundaries, as shown in the map and corresponding table below. The Regional boundaries in this map are approximate. The highlighted area between SPP and SERC denotes overlap as some load-serving entities participate in one Region while associated transmission owners/operators participate in another. FRCC MRO NPCC RF SERC SPP-RE TRE WECC Florida Reliability Coordinating Council Midwest Reliability Organization Northeast Power Coordinating Council ReliabilityFirst SERC Reliability Corporation Southwest Power Pool Regional Entity Texas Reliability Entity Western Electricity Coordinating Council NERC 2016 ERO CMEP Implementation Plan Version 2.2 December 2015 viii

9 Introduction Purpose The ERO Enterprise Compliance Monitoring and Enforcement Program (CMEP) Implementation Plan (IP) is the annual operating plan carried out by Compliance Enforcement Authorities (CEAs) while performing their responsibilities and duties. CEAs, which consist of NERC and the eight REs, carry out CMEP activities in accordance with the NERC Rules of Procedure (ROP) (including Appendix 4C), their respective Regional Delegation Agreements, and other agreements with the Canadian regulatory authorities. The ROP requires NERC to provide an Implementation Plan to the REs on or about September 1 of the preceding year. 1 REs must submit their Implementation Plans to NERC for review and approval on or about October 1. RE Implementation Plans provide: Details on Regional Risk Assessment processes and results; Reliability Standards and Requirements associated with Regional Risk Assessment results; The RE compliance oversight plan, which includes the annual audit plan; and Other key activities and processes used for CMEP implementation. The ERO Enterprise maintains a consolidated Implementation Plan that provides guidance and implementation information common between NERC and the eight REs. Implementation Plan In 2014, NERC began consolidating its Implementation Plan with that of the REs. The consolidated plan uses a streamlined format that eliminates redundant information, improves transparency of CMEP activities, and promotes consistency among the REs Implementation Plans. This format provides ERO Enterprise-wide guidance and implementation information while preserving potential RE differences by appending RE-specific Implementation Plans to supplement the overall ERO Enterprise Implementation Plan. The RE Implementation Plans describe risk assessments that identify what risks the REs will consider as part of their compliance oversight plans. NERC is responsible for collecting and reviewing the RE Implementation Plans to help ensure REs provide appropriate and consistent information regarding how they conduct CMEP activities. NERC monitors RE progress of CMEP activities against the RE Implementation Plans throughout the year and reports on CMEP activities in a yearend annual CMEP report. 2 During the implementation year, NERC or an RE may update the Implementation Plan. Updates may include, but are not limited to: changes to compliance monitoring processes; changes to RE processes; or updates resulting from a major event, FERC order, or other matter. REs submit updates to the NERC Compliance Assurance group, which reviews the updates and makes any needed changes. When changes occur, NERC posts a revised plan on its website and issues a compliance communication. RE Implementation Plans were due to NERC for review and approval on or about October 1. NERC has since reviewed the Regional Implementation Plans and included them in this document in Appendix A (1 8). 1 NERC ROP, Section 403 (Required Attributes of RE Compliance Monitoring and Enforcement Programs). 2 ERO Enterprise Annual CMEP Reports available at NERC 2016 ERO CMEP Implementation Plan Version 2.2 December

10 Significant Initiatives Impacting CMEP Activities The following ongoing NERC initiatives continuing in 2016 impact the ERO Enterprise s CMEP implementation. Risk-Based Registration Initiative Background NERC launched the Risk-Based Registration (RBR) initiative in 2014 to streamline the approach to identify and evaluate risks to reliability throughout the ERO Enterprise. 3 The new registration process has established clearer thresholds and ensures that registration is based on risk to reliability. All reliability stakeholders should benefit from this initiative. NERC will continue work with the REs throughout 2016 to monitor the RBR effects and to assess the potential impact of RBR on other ongoing risk-based CMEP activities. NERC and the REs will determine if any other processes can be streamlined. Critical Infrastructure Protection Reliability Standards, Version 5 Background On November 22, 2013, FERC issued Order No. 791, approving new and revised Critical Infrastructure Protection (CIP) Reliability Standards, referred to as CIP Version 5. For Responsible Entities in the United States, the requirements in the CIP Version 5 standards applicable to high- and medium-impact Bulk Electric System (BES) Cyber Systems (BCSs) will become enforceable on April 1, 2016, and the requirements applicable to low-impact BCSs will become enforceable on April 1, In other jurisdictions, the CIP Version 5 standards become effective in accordance with the rules of those individual jurisdictions, respectively. Responsible Entities must identify and categorize their BCSs based on CIP Version 5 criteria that are commensurate with the adverse impact that loss, compromise, or misuse of those systems could have on the reliable operation of the BES. All registered entities, including those expected to have only Low Impact BES Cyber Systems, must be compliant with CIP R1 and R2 as of April 1, Activities The requirements of CIP Version 5 standards that will affect compliance expectations during 2016 are those with both initial and recurring performance obligations (e.g., at least once every 15 calendar months ). A list of requirements with performance expectations is included in the Implementation Plan for Version 5 CIP Cyber Security Standards. 4 Once the standards and definitions of terms used in CIP Version 5 become effective, the Responsible Entities identified in the Applicability section of the standard must comply with the requirements. While Critical Infrastructure Protection is identified as a separate risk element, discussed below in this report, it is important that the CIP Standards themselves are also linked to other risk elements identified in this document. Staff that assess compliance to the CIP standards are encouraged to coordinate with Operations and Planning staff to ensure that the appropriate risks are identified and addressed. 3 Refer to the RBR Imitative website that contains supporting documents and resources for ongoing RBR activities located here: NERC 2016 ERO CMEP Implementation Plan Version 2.2 December

11 Significant Initiatives Impacting CMEP Activities Physical Security NERC Reliability Standard CIP Background Physical Security NERC Reliability Standard CIP takes effect in October Requirement R1 is enforceable on October 1, Requirements R2 through R6 must be completed according to the timelines specified in the standard. Focus areas for CIP-014 will involve monitoring evidence for the following attributes: Number of assets critical under the Standard; Defining characteristics of the assets identified as critical; Scope of security plans (types of security and resiliency contemplated); Timelines included for implementing security and resiliency measures; and, Industry s progress in implementing the Standard For additional information on key implementation dates or details on CIP-014-2, registered entities should communicate with their points of contact at the RE. 3

12 Risk-Based Approach to Compliance Monitoring and Enforcement Risk-Based Compliance Monitoring Risk-based compliance monitoring involves the use of the ERO Enterprise Risk-Based Compliance Oversight Framework (Framework) depicted in Figure 1 below. The Framework focuses on identifying, prioritizing, and addressing risks to the BPS, which enables each CEA to focus resources where they are most needed. REs are responsible for tailoring their monitoring (i.e., monitoring tools and the frequency and depth of monitoring engagements) of registered entities using the Framework described below. Figure 1. Risk-Based Compliance Oversight Framework During 2016 and beyond, CEAs will continue deploying processes and tools used to support risk-based compliance oversight. NERC and the REs are committed to ensuring full transformation to risk-based compliance oversight, and NERC and the REs plan to continue communications, training, and outreach throughout As reliability risk is not the same for all registered entities, the Framework examines BPS risk as well as individual registered entity risk to determine the most appropriate CMEP tool to use when monitoring a registered entity s compliance with NERC Reliability Standards. The Framework also promotes an examination into how registered entities operate and tailors compliance monitoring focus to areas that pose the greatest risk to BPS reliability. The elements in Figure 1 are dynamic and are not independent; rather, they are complementary and dependent on each other. The first step of the Framework is identification and prioritization of continent-wide risks based on the potential impact to reliability and the likelihood that such an impact might be realized, resulting in an annual compilation of ERO Enterprise risk elements. NERC Reliability Standards are in place to help ensure the reliable operation of the BPS. That is, the elements of the BPS should be operated so that instability, uncontrolled separation, and cascading failures of the system will not occur. Through the identification of risk elements, the ERO Enterprise maps a preliminary list of applicable NERC Reliability Standards and responsible registration functional categories to the risk elements, known as areas of focus. The areas of focus represent an initial list of NERC Reliability Standards on which the ERO Enterprise focuses compliance monitoring efforts. However, the risk elements and areas of focus contained with the Implementation Plan do not constitute the entirety of the risks that may affect the BPS. NERC 2016 ERO CMEP Implementation Plan Version 2.2 December

13 Risk-Based Approach to Compliance Monitoring and Enforcement The Implementation Plan contains the ERO Enterprise risk elements, which provide guidance to REs in the preparation of their RE Implementation Plans. REs are expected to further consider local risks and specific circumstances associated with individual registered entities within their footprints when developing their compliance oversight plans. The process for identifying ERO Enterprise and RE risk elements, and their associated areas of focus, is explained later in the document. After risk elements and their associated areas of focus are identified and prioritized, the Inherent Risk Assessment (IRA) occurs. The IRA involves a review of potential risks posed by an individual registered entity to the reliability of the BPS. 5 An IRA considers factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition. In considering such factors, an IRA is not limited by the risk elements and associated areas of focus identified in the 2016 ERO Enterprise CMEP IP. Rather, the IRA considers multiple factors to focus oversight to entity-specific risk and results in the identification of the standards and requirements that should be monitored. When developing more specific monitoring plans for registered entities in their footprints, the REs also take into account any information obtained through the processes outlined in the Internal Control Evaluation (ICE) Guide. 6 The ICE guide describes the process for identifying key controls, testing their effectiveness, and documenting the conclusions of the ICE, allowing a further refinement of the compliance oversight plan. As a result of the ICE, the REs may further focus compliance monitoring activities for a given entity, and may, for example, change the depth and how thoroughly a particular area is reviewed. 7 Registered entities may elect not to participate in an ICE. In that case, the RE will use the results of the IRA to determine the appropriate compliance oversight strategy, including areas of focus and tools within the determined scope. Ultimately, the RE will determine the type and frequency of the compliance monitoring tools (e.g., offsite or onsite audits, spot checks or self-certifications) that are warranted for a particular registered entity based on reliability risks; therefore, the RE may modify the set of core NERC Reliability Standards or pursue compliance assurance through any monitoring considerations. The determination of the appropriate CMEP tools will be adjusted, as needed, within a given implementation year. Coordinated Oversight of Multi-Region Registered Entities In 2014, the ERO Enterprise initiated the process of developing a comprehensive coordinated oversight program of multi-region registered entities (MRREs). 8 The Coordinated Oversight Program for MRREs is designed to streamline risk assessment, compliance monitoring and enforcement, and event analysis activities for the registered entities that use, own, or operate assets in areas covering more than one RE territory. 5 ERO Enterprise Inherent Risk Assessment Guide, available at % _%20(posted% ).docx 6 ERO Enterprise Internal Control Evaluation Guide, available at Posted_ docx 7 For example, if a registered entity demonstrates effective internal controls for a given Reliability Standard during the ICE, the Regional Entity may determine that it does not need to audit the registered entity s compliance with that Reliability Standard as frequently, or the RE may select a different monitoring tool. 8 Coordinated Oversight of MRRE Program Development and Implementation, available at and Compliance Monitoring and Enforcement for Entities Registered in Multiple Regions Webinar June 23, 2015, available at 5

14 Risk-Based Approach to Compliance Monitoring and Enforcement Under the Coordinated Oversight Program for MRREs, REs will coordinate their oversight responsibilities over MRREs by designating one Lead RE (LRE) to each MRRE or a group of MRREs. 9 The LRE is selected based on BPS reliability considerations and the registered entity s operational characteristics. The selected LRE works collaboratively with the remaining REs, known as Affected REs, and informs NERC of activities as appropriate. The Coordinated Oversight Program is flexible and voluntary for MRREs. Compliance Assessments for Events and Disturbances An important component of the ERO Enterprise s risk-based approach to compliance monitoring is voluntary participation in the Compliance Assessment (CA) Process by registered entities after an event or disturbance. Through the Event Analysis Process, the ERO Enterprise promotes a culture of reliability excellence that encourages an aggressive and critical self-review and analysis of operations, planning, and critical infrastructure performance. The CA Process is a complementary review of the event focused on the evaluation of compliance with Reliability Standards. A registered entity completes a CA by reviewing the facts and circumstances of an event or disturbance, identifying relevant Reliability Standards and Requirements, evaluating compliance with these standards and requirements, and self-reporting any potential noncompliance. RE compliance staff also assess significant events and disturbances to increase awareness of reliability risks that may guide further compliance monitoring activities. Registered Entity Responsibilities in CA Process The ERO Enterprise encourages registered entities to perform a voluntary, systematic CA in response to all system events and disturbances. Registered entities are also encouraged to share the CA with the RE for all Category 2 and above events. The ERO Event Analysis Process describes the categories for events. 10 Registered entities should use the Sample Compliance Assessment Report template (Appendix 3 of this document) when performing a CA. In addition to the completed CA template, registered entities should provide to the RE sufficient event information, such as the Brief Report or Event Analysis Report, so the RE may thoroughly understand the event. Registered entities that follow the process above to systematically evaluate their own compliance performance, self-report potential noncompliance, and address reliability issues demonstrate the effectiveness of their internal controls and their commitment to a culture of compliance. Registered entities that are able to demonstrate strong internal controls and a robust culture of compliance that mitigates risk may be afforded some recognition by way of reduced levels and frequency of compliance monitoring activities. Mitigating credit for these actions is also considered during the enforcement of a noncompliance. Such credit is available to the registered entity for comprehensive CAs that clearly demonstrate a systematic review of applicable standards and, as appropriate, selfreporting. RE Responsibilities in CA Process REs will review system event reports and CA reports provided by registered entities and may use a risk-based approach to prioritize these evaluations. However, the REs will conduct a Regional Compliance Evaluation (RCE) for all Category 2 and above events. By exception, the RE may also examine lower category events that indicate the need for closer examination. As part of its independent evaluation of the CA, the RE may request additional information from the registered entity if it is needed to better understand the event. This process, while informal, may be used to recommend a formal compliance monitoring method, such as a spot check, or be used to recommend a modification to the scope of an upcoming audit. 9 The intent of the Coordinated Oversight Program of MRREs is to have a single LRE. However, although not anticipated, if needed there may be multiple LREs

15 Risk-Based Approach to Compliance Monitoring and Enforcement The scope of RCEs and the manner in which the REs and NERC evaluate, process, and respond to these reviews should reflect the significance of the event. The registered entity can greatly assist the RE by providing a thorough and systematic self-evaluation in its CA. The RE will share the RCE and CA with NERC staff. Risk-Based Enforcement The ERO Enterprise s risk-based enforcement defines, communicates, and promotes desired entity behavior in an effort to improve the reliability of the BPS. Specifically, risk-based enforcement allows the ERO Enterprise to focus on higher risks to the reliability of the BPS while maintaining the ERO Enterprise s visibility into potential noncompliance issues, regardless of the level of risk they pose. With this in mind, the ERO Enterprise developed Compliance Exceptions and the self-logging program to resolve instances of minimal-risk noncompliance in particular, those that are self-identified in a more streamlined manner. Compliance Exceptions Beginning in November 2013, the ERO Enterprise began identifying minimal-risk noncompliance that does not warrant a penalty and that would be recorded and mitigated without triggering an enforcement action. This type of noncompliance, which is not pursued through an enforcement action by the ERO Enterprise, is called a Compliance Exception. Compliance Exceptions build on the success of the Find, Fix, Track and Report (FFT) program, which was the first step in implementing a risk-based strategy that recognizes that not all instances of noncompliance require the same type of enforcement process. The use of this streamlined mechanism is informed by the facts and circumstances of the noncompliance, the risk posed by the noncompliance to the reliability of the BPS, and the deterrent effect of an enforcement action or penalty, among other things. These considerations are very similar to the considerations that have been used since 2011 to determine whether a noncompliance should be processed as an FFT. Only a noncompliance posing minimal risk to the reliability of the BPS is eligible for Compliance Exception treatment. Self-Logging Program Through the self-logging program, the ERO Enterprise encourages registered entities to detect, accurately assess the risk of, and adequately mitigate minimal-risk noncompliance with Reliability Standards. In evaluating whether a registered entity is eligible for the program, an RE reviews the internal controls the registered entity uses to selfassess and address its noncompliance. In this sense, the evaluation of eligibility for self-logging is distinct from an ICE conducted for the purposes of tailoring the specific monitoring activities of a CEA for a particular registered entity. Registered entities found eligible by the CEA to participate in the self-logging program, after a formal review of internal controls, may be granted approval by the CEA to log noncompliance for subsequent review in lieu of submitting a self-report. In determining eligibility for self-logging, the Regional Entities consider whether a registered entity is capable of self-identifying and mitigating minimal risk noncompliance on its own, as demonstrated by, among other things: 1) the registered entity s history of initiative and recognition of compliance obligations; 2) the registered entity s reliable and accurate self-reporting of noncompliance to the Regional Entities; 3) the registered entity s history of mitigating its noncompliance in a timely and thorough manner; 4) the quality, comprehensiveness, and execution of the registered entity s ICP; 5) the registered entity s cooperation with the RE during enforcement actions, compliance monitoring activities, and RE outreach; and 6) the registered entity s performance during regional Compliance Audits. The log is limited to noncompliance posing a minimal risk to the reliability of the BPS unless otherwise authorized by an applicable governmental authority. Approved registered entities maintain a log with a detailed description of the noncompliance, the risk assessment, and the mitigating activities completed or to be completed. There is a rebuttable presumption that minimal-risk noncompliance logged in this manner will be resolved as a CE. The CEA periodically reviews the logs and provides the resulting CEs to NERC for posting on the NERC website. 7

16 Risk-Based Approach to Compliance Monitoring and Enforcement The self-logging program also encourages the development and communication of management practices by registered entities and rewards registered entities for implementing demonstrated, effective controls to detect and correct issues as they arise. Risk-Based Compliance Oversight Plan Process for Risk Elements and Associated Areas of Focus The ERO Enterprise continues to identify risks to the reliability of the BPS, as well as mitigating factors that may reduce or eliminate a given reliability risk, and the ERO Enterprise will continue to do so under the Framework referenced above. As such, NERC identifies risk elements using data including, but not limited to: compliance findings; event analysis experience; data analysis; and the expert judgment of NERC and RE staff, committees, and subcommittees (e.g., NERC Reliability Issues Steering Committee). NERC uses these risk elements to identify and prioritize interconnection and continent-wide risks to the reliability of the BPS. These identified risks, as well as risks to the reliability of the BPS identified by each RE for its footprint, will be used by REs to focus monitoring activities in the upcoming year, and they become inputs for developing oversight plans for individual registered entities. For the purpose of the Implementation Plan, areas of focus highlight ERO Enterprise-wide and RE-specific risks that merit increased focus for compliance monitoring, which becomes a part of an individual registered entity s compliance oversight plan. The areas of focus do not represent the exclusive list of important or relevant Reliability Standards or Requirements, nor are the areas of focus the entirety of the risks that may affect the reliability of the BPS. Rather, REs will consider the risk elements and areas of focus to help prioritize compliance monitoring efforts. When developing entity-specific compliance oversight plans, REs consider local risks and specific circumstances associated with individual registered entities. They focus on a complete picture of reliability risks to determine the appropriate compliance monitoring tool for registered entities. As a result, a particular registered entity s scope of monitoring may include more, fewer, or different Reliability Standards than those outlined in the ERO and RE CMEP IPs. The determination of the appropriate CMEP tools may be adjusted, as needed, within a given implementation year. Additionally, NERC and the REs have the authority to monitor compliance with all applicable Reliability Standards whether they are identified as areas of focus to be considered for compliance oversight in the annual Implementation Plan or are included in an RE s oversight plan for a registered entity. NERC followed the risk element development process outlined in the Risk Elements Guide for Development of the 2015 ERO Enterprise CMEP Implementation Plan to review and reassess the 2015 risk elements to determine applicability for Although the Implementation Plan identifies NERC Standards and Requirements for consideration for focused compliance monitoring, the ERO Enterprise recognizes by using the Framework and riskbased processes that REs will develop a focused list of NERC Reliability Standards and Requirements specific to the risk a registered entity poses. Therefore, a particular area of focus under a risk element does not imply (1) that the identified NERC standard(s) fully addresses the particular risk associated with the risk element; (2) that the identified NERC Standard(s) is only related to that specific risk element; or (3) that all requirements of a NERC standard apply to that risk element equally. Subject to NERC monitoring, REs will consider the ERO Enterprise risk elements, along with RE risk elements, when conducting compliance monitoring activities and assessing compliance with identified NERC standards and requirements. Risk Element Results For 2016, NERC refined the nine 2015 risk elements down to eight. Specific refinements include combining some risk elements into broader categories, with more specified areas of focus under each risk element, and revising 11 Risk Elements Guide for Development of the 2015 CMEP IP, available at 8

17 Risk-Based Approach to Compliance Monitoring and Enforcement the risk element names to more accurately reflect the risk involved. Table 2 compares the 2015 risk elements to the new, refined 2016 risk elements. Table 1. Critical Comparison of 2015 and 2016 Risk Elements 2015 Risk Elements 2016 Risk Elements Cybersecurity Critical Infrastructure Protection Extreme Physical Events Extreme Physical Events Infrastructure Maintenance Maintenance and Management of BPS Assets Monitoring and Situational Awareness Monitoring and Situational Awareness Protection System Misoperations Uncoordinated Protection Systems Protection System Failures Long-Term Planning and System Analysis Event Response/Recovery Planning and System Analysis Human Error Human Performance Workforce Capability (N/A for 2016) 2016 Risk Elements The eight risk elements below are not a comprehensive list of all risks to the reliability of the BPS. Standards, requirements, and associated functions for each area of focus may be updated throughout the year to reflect new versions of the standards that become effective. Where issues are being addressed through other mechanisms, they are not included herein for compliance assurance activities Critical Infrastructure Protection The protection of critical infrastructure remains an area of significant importance and is addressed in the RISC s ERO Priorities: RISC Updates and Recommendations report 13, the Cyber Attack Task Force Final Report 14, and in NERC s ERO Top Priority Reliability Risks report. 15 The risk includes threats and vulnerabilities that result from (1) system downtime, (2) unauthorized access, and (3) corruption of operational data. While Critical Infrastructure Protection is identified as a separate risk element, the CIP standards themselves are also linked to other risk elements identified in this document. The CIP standards address protection of the BES; thus, errors in identifying and categorizing the appropriate BES components could lead to ineffective or missing security measures. There are also situations in which Operations and Planning standards could affect CIP risk elements (e.g., CIP-008 and CIP-009 deal with response planning and recovery from cyber events and as such could have been included as part of the Events Response/Recovery risk element). System Downtime NERC has analyzed data and identified that outages of tools and monitoring systems are fairly common occurrences. Events involving a complete loss of SCADA control, or monitoring functionality for 30 minutes or more, are the most common grid-related events since 2012 and limit the situational awareness of operators. Less- 12 For example, vegetation management and right-of-way clearances, while key priorities, are not areas of focus for compliance assurance activities because they are being addressed through other ongoing targeted initiatives. 13 ERO Priorities: RISC Updates and Recommendations available at 14 Cyber Attack Task Force Final Report available at CATF_Final_Report_BOT_clean_Mar_26_2012-Board%20Accepted% pdf 15 ERO Top Priority Reliability Risks available at 9

18 Risk-Based Approach to Compliance Monitoring and Enforcement than-adequate situational awareness has the potential for significant negative reliability consequences and is often a precursor event or contributor to events. Additionally, insufficient communication and data regarding neighboring entities operations could result in invalid assumptions of another system s behavior or system state. Furthermore, with the transition to CIP Version 5 in 2016, entities are to use a rigorous criteria to determine the BCSs that will be subject to the technical security requirements. With such a major shift in this key aspect of entities CIP and security programs, it is important to perform the analyses early so that critical BCSs are identified and potential gaps in the security controls used to protect BCSs is minimized. Unauthorized Access Unauthorized access can lead to BCSs being compromised and is a major risk to systems that are used to monitor and control the BES. The RISC report describes the implementation of mandatory CIP standards and the establishment of the E-ISAC as substantial risk mitigation measures, but cyber-attack is a constantly evolving threat. Any communication gaps between cyber experts and industry operators could lead to vulnerabilities. Also, the fast-paced rate of changes in technology with increased reliance on automation, remote control technology, and grid sensors that enable the close monitoring and operations of systems means that advanced tools are needed to counter those threats. Corruption of Operational Data Misconfiguration of BES Cyber Assets, which often results from gaps in change management processes, can make the devices used to monitor and control the BPS subject to more attacks. Areas of Focus 16 Table 2. Critical Infrastructure Protection Standard Requirements Entities for Attention Asset Types Balancing Authority Generator Operator Control Centers Backup Control Centers CIP R1, R2 Generator Owner Data Centers Reliability Coordinator Substations Transmission Operator Generation Facilities Transmission Owner CIP CIP R1, R2 R1, R2, R3 Balancing Authority Generator Operator Generator Owner Reliability Coordinator Transmission Operator Transmission Owner Balancing Authority Reliability Coordinator Transmission Operator Transmission Owner Control Centers Backup Control Centers Data Centers Substations Generation Facilities Control Centers Backup Control Centers Data Centers Substations 16 While Table 2 lists the CIP Version 5 Reliability Standards, the ERO, through release of its Cyber Security Reliability Standards CIP Version 5 Transition Guidance, actively encourages and supports registered entities transitioning from compliance with the Version 3 Reliability Standards directly to the Version 5 Reliability Standards. As stated in that guidance, NERC and the Regional Entities will take a flexible compliance monitoring and enforcement approach for the CIP Reliability Standards prior to the Enforceable Date of the Version 5 Reliability Standards, recognizing that the details of implementing a Version 3 to Version 5 transition may cause a significant impact on certain compliance monitoring activities. 10

19 Risk-Based Approach to Compliance Monitoring and Enforcement Table 2. Critical Infrastructure Protection Standard Requirements Entities for Attention Asset Types Balancing Authority Control Centers CIP R1, R2, R3, R5 Transmission Owner Reliability Coordinator Backup Control Centers Transmission Operator Data Centers 2. Extreme Physical Events Extreme physical events can include acts of nature or man-made events that cause extensive damage to equipment and systems. NERC identified this concern as a significant risk in its ERO Top Priority Reliability Risks report as well as in the RISC s ERO Priorities: RISC Updates and Recommendations report. As concluded in the RISC report, the potential consequences of such events are high enough to warrant increased focus to properly address the risk. Acts of Nature The RISC report identifies severe weather events (e.g., hurricanes, tornadoes, polar vortices, GMDs, etc.) as physical events that, at the extreme, can cause equipment damage that is interconnection-wide, lead to fuel limitations, and disrupt telecommunications. Because of the long lead time needed to manufacture and replace some BPS assets, an extreme physical event that causes extensive damage to equipment could result in degraded reliability for an extended period of time. Man-made The second component of extreme physical events is those that are man-made. As stated in the RISC report, coordinated sabotage such as localized physical attacks of significance or electromagnetic pulse (EMP) attacks are physical events that, at the extreme, can cause extensive interconnection-wide equipment damage and disrupt telecommunications. As previously mentioned, the lead time for manufacturing and replacing some BPS assets could result in degraded reliability for an extended period of time. Areas of Focus Table 3. Extreme Physical Events Standard Requirements Entities for Attention EOP R1, R3 Reliability Coordinator Transmission Operator CIP R1, R2, R3 Transmission Owner 3. Maintenance and Management of BPS Assets As the BPS ages, lack of infrastructure maintenance is a reliability risk that continues to grow. NERC identified this concern in its ERO Top Priority Reliability Risks report as well as the RISC s ERO Priorities: RISC Updates and Recommendations report. The RISC report identifies that the failure to maintain equipment is a reliability risk exacerbated when an entity either does not have replacement components available or cannot procure needed parts in a timely fashion. Deficiencies in maintenance strategies create additional pressure on sparing programs and the ability to replace aging infrastructure. Another risk, highlighted by NERC s 2010 Facility Ratings Alert to industry, involved the misalignment between the design and actual construction of BPS facilities. Additionally, compliance data analysis shows that PRC-005 has the highest number of reported noncompliance and serious or moderate risk filings in the past four years. 11

20 Risk-Based Approach to Compliance Monitoring and Enforcement Areas of Focus Table 4. Maintenance and Management of BPS Assets Standard Requirements Entities for Attention FAC R6 Generator Owners Transmission Owners PRC-005-2(i) R3, R4, R5 Distribution Providers Generator Owners Transmission Owners 4. Monitoring and Situational Awareness Without the right tools and data, operators can make decisions that may or may not be appropriate to ensure reliability for the given state of the system. NERC s ERO Top Priority Reliability Risks notes that stale data and lack of analysis capabilities contributed to the blackout events in 2003 ( August 14, 2003 Blackout ) and 2011 ( Arizona-Southern California Outages ). Certain essential functional capabilities must be in place with upto-date information available for staff to use on a regular basis to make informed decisions. An essential component of Monitoring and Situational Awareness is the availability of information when needed. Unexpected outages of tools, or planned outages without appropriate coordination or oversight, can leave operators without visibility to some or all of the systems they operate. While failure of a decision support tool is rarely the cause of an event, such failures manifest as latent risks that further hinder the decision making capabilities of the operator. One clear example of this is the August 14, 2003 Blackout NERC has analyzed data and identified that outages of tools and monitoring systems are fairly common occurrences. The RISC s ERO Priorities: RISC Updates and Recommendations report and NERC s ERO Top Priority Reliability Risks report recognize this concern. Areas of Focus Table 5. Monitoring and Situational Awareness Standard Requirements Entities for Attention IRO a R1, R2 Reliability Coordinator TOP R1, R2, R7 Balancing Authority Reliability Coordinator Transmission Operator 5. Protection System Failures Protection systems are designed to remove equipment from service so it won t be damaged when a fault occurs. Protection systems that trip unnecessarily can contribute significantly to the extent of an event. When protection systems are not coordinated properly, the order of execution can result in either incorrect elements being removed from service or more elements being removed than necessary. This can also occur with Special Protection Systems, Remedial Action Schemes, and Underfrequency Load Shedding and Undervoltage Load Shedding schemes. Such coordination errors occurred in the Arizona-Southern California Outages (see recommendation 19) 17 and the August 14, 2003 Blackout (see recommendation 21). 18 Additionally, a protection system that does not trip or is slow to trip may lead to the damage of equipment (which may result in degraded reliability for an extended period of time), while a protection system that trips when it 17 See Arizona-Southern California Outages on September 8, See Final Report on the August 14, 2003 Blackout. 12

21 Risk-Based Approach to Compliance Monitoring and Enforcement shouldn t can remove important elements of the power system from service at times when they are needed most. Unnecessary trips can even start cascading failures as each successive trip can cause another protection system to trip. The NERC 2015 State of Reliability report concludes that protection system misoperations can severely increase risk to reliability. According to the report, 68 percent of the transmission-related events meeting a category description in the ERO Event Analysis Process have protection system misoperations associated with them that either initiated the event or caused it to be more severe. 19 Both the RISC s ERO Priorities: RISC Updates and Recommendations report and NERC s ERO Top Priority Reliability Risks report recognize protection systems as a significant risk based on analysis contained in the state of reliability reports from 2012, 2013, and Areas of Focus Table 6. Protection System Failures Standard Requirements Entities for Attention PRC (ii) R3, R4, R5 Generator Operator Transmission Operator PRC (i)a R1, R2 Distribution Provider Generator Owner Transmission Owner 6. Event Response/Recovery When events occur, the safe and efficient restoration of transmission service to critical load in a timely manner is of utmost importance. As the RISC identifies in its ERO Priorities: RISC Updates and Recommendations report, the effect of poor event response and recovery is far reaching and not only causes safety, operational, or equipment related risks during restoration activities, but also contributes to prolonged transmission outage durations, thereby increasing the duration of BPS unreliability. An additional risk to event response and recovery is the unavailability of generators. Extreme weather conditions, severe cold, heat, and drought create significant stress on maintaining overall BPS reliability and present unique challenges for electric system planners and operators. These conditions can significantly increase residential and commercial electricity demand and consumption, at the same time imposing adverse RE generation impacts and fuel availability issues. Extreme weather conditions can also vary the amount of wind and clouds (fuel for variable energy resources) that impact the expected amount of available renewable generation in some areas. When combined, the heightened electricity demand, increased potential for failure of power plant components, limitations on fuel supply availability, and competing use of certain fuels can lead to increased risks of adverse reliability impacts, including simultaneous forced outages, de-ratings, and failures to start of multiple generating units. When these severe conditions are present over large geographic areas, the combined impacts on the fuel supply, power plant operations, generation unavailability, and heightened electricity demand can lead to severe reliability impacts. These extreme conditions occur beyond the extent of planned stress conditions, anticipated severe operation conditions, or fuel supply availability expectations. Further, the conditions can lead to imprecise forecasts of residential and commercial electricity demand, which is the baseline for planning the BPS and operators determining the amount of electric generation needed during critical periods. When the combination of some, or all, of these conditions occurs during these extreme incidents, the end result can be operations under severe 19 See ERO Event Analysis Process V2.1 13