2015 fall workshop - southwest power pool fall... · effective internal controls tiffany...
TRANSCRIPT
2015 Fall Workshop
You can also email questions/comments to [email protected] If you want a Professional Development Hours letter, email [email protected]
Download Materials and Submit Questions @ SPP.org ->Regional Entity ->2015 Fall Workshop:
Online question box submits generates email to staff from [email protected]
Wednesday, September 30
7:30-8:00 Registration and light breakfast
8:00-8:10 Welcome
8:10-9:20 4 - Registered Entity Panel on Jim Nail, City of Independence Effective Internal Controls Tiffany Lake, Westar Terri Pyle, OG&E 9:20-9:35 Break
9:35-10:35 5 - Mitigation Expectations Simran Ahuja, NERC
10:35-10:45 Break
10:45-11:15 6 - General Manager’s Update Ron Ciesiel, SPP RE
11:15-11:45 7 - 50th Anniversary of 1965 Blackout Dave Christiano, SPP RE Trustee
11:45-12:00 Closing/Surveys Gerry Burrows, SPP RE Trustee
12:00-1:00 Lunch
The workshop is followed by the RTO Compliance Forum for members and Registered Entities, which requires separate registration.
Tuesday, September 29
7:30-8:00 Registration and light breakfast
8:00-8:30 Welcome John Meyer, SPP RE Trustees Chair 8:30-9:25 1 - CIP Update and Q&A Steven Keller & Shon Austin, SPP RE
9:25-9:40 Break
9:40-10:45 2 - Revised Standards in Training (PER-005-2) & Mike Hughes, Jim Williams, Protection Systems (PRC-004-3/4, PRC-005-3(i), Thomas Teafatiller, SPP RE PRC-019-1/2, PRC-024-2) 10:45 -11:00 Break
11:00-12:00 3 - 2016 Compliance Program Jim Williams & Jeremy Withers, SPP RE 12:00-1:00 Lunch
1:00-4:40 Break-Out Sessions (see next page)
4:50-5:00 Q&A / Closing
September 29 Break-Out Sessions Seating is “first come, first serve”. Bring your questions and discussion points! We will leave the phones on in the ballroom for the CIP break-out sessions, but the other sessions will not be available via phone or webex.
1:00-2:00
Ballroom (no limit) CIP V5 Evidence and Expectations Facilitated by Sushil Subedi and Steven Keller Lashio (seats 40) Compliance 101 (for those new to NERC compliance) Facilitated by Mike Hughes and Thomas Teafatiller
Martaban (seats 60) Quality Evidence for FAC-008 and PRC-005 Facilitated by Jeff Rooker and Jim Williams
2:10-3:10 Ballroom (no limit) Low Impact BES Cyber Systems Facilitated by Shon Austin, Sushil Subedi, Robert Vaughn Lashio (seats 40) Disposition Methods for Non-Compliance Issues Facilitated by Joe Gertsch, Jeremy Withers, and Jeff Rooker
Martaban (seats 60) Inherent Risk Assessment (IRA)/Internal Control Evaluation (ICE) Facilitated by Steven Keller, Robert Vaughn, and Jim Williams
3:10-3:40 Snack and Coffee Break 3:40-4:40 Ballroom (no limit) CIP Open Q&A Facilitated by CIP Team
Lashio (seats 40) Compliance for Small Entities in Multiple Regions Facilitated by Bill Bateman, Senior Project Manager at GDS Associates and PCC for several Registered Entities - with Jim Williams, Joe Gertsch, and Thomas Teafatiller Martaban (seats 60) New TOP Standards Facilitated by Greg Sorenson and Jeff Rooker 4:50Return to ballroom for closing
CIP Updates
September 29, 2015
Steven Keller and Shon Austin SPP RE Staff
Overview
• 2016 Outreach
• Site visits for substations
• Audit approach
• V5 Lessons Learned and FAQs
• Open Issues
2
2016 Outreach
• V5 outreach Jan. – Mar. 2016
– Preparation for CIP V5 effective date of 4/1/16
• Outreach will shift to Low Impact after 4/1/16
• Free to Registered Entities
– No cost for us to talk
• No limits on topics
– Agenda is driven by Registered Entity
• Invite anyone you wish
– It can be a closed or open to other Registered Entities
• Onsite visit or webex/teleconference
3
Audit Visits for Substations
• Visit off-site
• Must show sufficient evidence of compliance
– Photos
– Diagrams
– Documentation
• Goal of reducing travel time
– Substations with only low-impacting BES Cyber Systems
– We will give Registered Entity a list of substations
4
Audit Approach
• Moving away from two weeks onsite
– Aiming for one week onsite with Registered Entity
• Two week pre-audit work
– More interaction during off-site audit review
– Daily calls with Registered Entity
• Eliminate Requirements during pre-audit
• Still will need to do site visits
• Audit success depends on quality evidence
5
CIP Version 5 Guidance
• July 1 meeting – On July 1, 2015, NERC hosted a small, executive-focused
face-to-face meeting to discuss the issues in the CIP Version 5 Memoranda
– Led to the posting of industry-vetted Lessons Learned and FAQ via Section 11 of the NERC Standard Processes Manual (SPM).
6
Lessons Learned and FAQs (as of 9/24/15)
7
Transition Update Type Topic Deadline for comments
1/8 Key Postings Programmable Electronic Device Lesson Learned
Interactive Remote Access Lesson Learned
EACMS Mixed Trust Authentication Lesson Learned
2/6
1/28/15 Key Postings FAQ Industry Comments N/A
3/2 Key Postings Grouping of BES Cyber Systems (Revised) Lesson Learned
Functional Obligations and Control Centers Lesson Learned
3/30
3/13 RSAWs Posted project page. 4/14
4/1 Draft FAQs Posted for Industry Comment
Frequently Asked Questions (FAQs) Posted for Comment 5/15
4/22 Transition Update Follow-Up to Implementation Study Report
Impact Rating Criteria 2.3 and 2.6
Impact Rating for Generation Connection Facilities
Network and Externally Accessible Devices
Programmable Electronic Device
Control Centers and Functional Obligations
None listed
5/1 Draft FAQs Posted for Industry Comment
CIP V5 Frequently Asked Questions 6/15
7/6 Key Postings July 1 Meeting Coordination and Way Forward N/A
7/20 Key Postings Re-post EACMS Mixed Trust Authentication Lesson Learned
Re-post Interactive Remote Access Lesson Learned
Frequently Asked Questions CIP Version 5 Standards
8/21
8/19 Key Postings Communications and Networking Cyber Assets
IRC 2.3 and 2.6 Compliance Dates
Generation Interconnection Lesson Learned
None listed
9/10 Key Postings BES Cyber Assets Lesson Learned
External Routable Connectivity Lesson Learned
None listed
Open Issues
• XML Listener
• Scripting and baselines
• Patch assessments
• Patch implementation
• Conducting PRAs for Contractors
• Alerts for Security Events
8
Issues and Concerns V5
• XML Listener
- Means of systematically communicating operating generation dispatch instructions from BA to GO (for Setpoints and Start-up/Shutdown notifications)
• Solution
- Place applicable asset within its own Demilitarized Zone (DMZ)
- Enable the required ports
- Allow the IP addresses required by BA
9
Issues and Concerns V5
• Scripting and Baselines
A. Scripts that are stored on the BES Cyber Asset (BCA) and have been developed and/or customized locally?
B. Scripts that are not stored on a BCA, but have been developed and/or customized locally?
C. Scripts that were delivered with a third-party application, can be locally customized, but have not been?
D. Scripts that were delivered with a third-party application, but cannot be locally customized?
• Solution
10
A – Baseline
B – No Baseline Required
C – No Baseline Required
D – No Baseline Required
Issues and Concerns V5
• Patch Assessments - What is the maximum number days the CIP requirement
allows to assess a security patch?
• Solution
- 35 days to complete the assessment after the patch is released by the Registered Entity’s designated source
11
Issues and Concerns V5
• Patch Implementation
- What is the maximum number days the CIP requirement allows to implement an applicable security patch?
• Solution
- 35 days after the patch has been assessed and found applicable
12
Issues and Concerns V5
• Patch Implementation
- What if I can’t implement the patch within 35 days of assessment?
• Solution
- Develop a new mitigation plan, or
- Update an existing mitigation plan and get CIP Senior Manager or delegate approval
- You may need a Technical Feasibility Exception
13
Issues and Concerns V5
• Conducting Personnel Risk Assessment (PRA) for Contractors - Can I let the contracting company perform the PRA on
their personnel?
• Solution
- Yes, subject to the following expectations: - Must review and approve contractor’s PRA program
- Confirm the contractor’s evaluation criteria aligns with the Registered Entity’s
- Confirm the contractor followed its program
14
Issues and Concerns V5
• Alerts for Security Events/Unauthorized Access - If I get alerts sent to my smart phone for security events
and/or unauthorized access attempts, does my phone have to be CIP protected?
• Solution
- No, the phone does not meet the definition of an EACMS (Electronic Access Control or Monitoring System) or PACS (Physical Access Control System)
15
Summary
• Contact SPP RE for outreach assistance ASAP
• Don’t be shy about asking SPP RE questions – there are no audit implications!
• Cut down on-site audit time by submitting quality evidence
– See breakout session slides on CIP V5 Evidence and Expectations
• Follow NERC’s transition guidance
• Pay close attention to requirements’ applicability statements
16
SPP RE CIP Team • Kevin Perry, Director of Critical Infrastructure Protection
(501) 614-3251
• Shon Austin, Lead Compliance Specialist-CIP (501) 614-3273
• Steven Keller, Lead Compliance Specialist-CIP (501) 688-1633
• Jeremy Withers, Senior Compliance Specialist-CIP (501) 688-1676
• Sushil Subedi, Compliance Specialist II-CIP (501) 482-2332
• Robert Vaughn, Compliance Specialist II-CIP (501) 482-2301
17
Revised Standards September 29, 2015 Fall Workshop SPP RE Staff: Jim Williams Thomas Teafatiller Mike Hughes
Use of Presentation
• This presentation covers highlights from multiple NERC Reliability Standards
• For simplicity, some wording from the standard has been shortened, paraphrased, or omitted
• Due to space and time constraints, some topics, special cases, and notes have not been addressed
• It is important to read each standard in its entirety and independently verify the accuracy of the information contained in this presentation prior to reliance upon that information for NERC compliance
2
Overview
TRAINING
PER-005-2 Operations Training Effective 7/1/16
PROTECTION
PRC-004-3/4 Misoperations Effective 7/1/16
PRC-005-3(i)/4 Protection Systems Effective 4/1/16 & 10/1/16
PRC-019-1/2 Voltage Regulating Controls Effective 7/1/16
PRC-024-1/2 Frequency/Voltage Relays Effective 7/1/16
3
PER-005-2 Operations Personnel Training
(Effective 7/1/16)
4
PER-005-2
• Enforcement Date: July 1, 2016
• Applicability Functional Entities: – Reliability Coordinator
– Balancing Authority
– Transmission Operator
– Transmission Owner
– Generator Operator
5
PER-005 Applicability – Added Functional Entities: • Transmission Owner that has:
– Personnel, excluding field switching personnel, who can act independently to operate or direct the operation of the Transmission Owner’s Bulk Electric System transmission Facilities in Real-time.
• Generator Operator that has: – Dispatch personnel at a centrally located dispatch center who
receive direction from the Generator Operator’s Reliability Coordinator, Balancing Authority, Transmission Operator, or Transmission Owner, and may develop specific dispatch instructions for plant operators under their control. These personnel do not include plant operators located at a generator plant site or personnel at a centrally located dispatch center who relay dispatch instructions without making any modifications.
6
PER-005 version 1 to version 2
• PER-005-1 R1 – “…shall use a systematic approach to establish a training program..”
• PER-005-2 R1 – “…shall use a systematic approach to develop and implement a training program…”
7
PER-005 version 1 to version 2
• PER-005-1 – R1.1 – “…shall create a list of BES company-specific
reliability-related tasks performed by its System Operator.” R1.1.1 – “…each calendar year identify new or modified tasks for inclusion in training.”
• PER-005-2 – R1.1 – “…shall create a list of Bulk Electric System (BES)
company-specific Real-time reliability-related tasks based on a defined and documented methodology.” R1.1.1 – “…shall review and update its list if necessary…”
8
PER-005 version 1 to version 2
• PER-005-1 – R1.2 – “…shall design and develop learning objectives and training
materials…”
– R1.3 – “...shall deliver its training established in R1.2.”
– R1.4 – “…shall conduct an annual evaluation of the training program…”
• PER-005-2 – R1.2 – “…shall design and develop training materials according to
its training program…”
– R1.3 - “….shall deliver its training according to the training program.”
– R1.4 – “…shall conduct an evaluation each calendar year of the training program…”
9
PER-005 Version 1 to Version 2
• PER-005-1 – R2 – “…shall verify each System Operators capabilities
to perform each assigned task… at least one time.” (RC, BA and TOP) R2.1 – shall verify capabilities to perform new or modified tasks.;
• PER-005-2 – R3 – “…shall verify, at least once, the capabilities of its
personnel. (RC, BA, TOP and TO)
10
PER-005 Version 1 to Version 2
• PER-005-1 – R3 – “At least every 12 months each RC, BA and TOP shall provide
32 hours of EOPs training.” R3.1 – “Each RC, BA and TOP that has operational authority or control over Facilities with established IROLs or has established operating guides or protection systems to mitigate IROL violations shall provide each System Operator with emergency operations training using simulation technology…”
• PER-005-2 – R4 – “Each RC, BA, TOP and TO that has operational authority or
control over Facilities with established IROLs or has established protection systems or operating guides to mitigate IROL violations shall provide each personnel with emergency operations training using simulation technology…”
11
PER-005 Version 1 to Version 2
• PER-005-2 – R5 – “Each RC, BA, TOP shall use a systematic approach to develop
and implement training for its identified Operations Support Personnel on how their job function(s) impact those BES company-specific Real-time reliability-related tasks.” R5.1 – “shall conduct an evaluation each calendar year of the training established in Requirement R5 to identify and implement changes to the training.”
– R6 – “Each Generator Operator shall use a systematic approach to develop and implement training to its personnel identified in Applicability Section 4.1.5.1 of this standard, on how their job function(s) impact the reliable operations of the BES during normal and emergency operations.”
12
PER-005-2 Evidence • R1 - Evidence of using a systematic approach to develop and
implement a training program for its System Operators
• R1.1 - The methodology and its BES company specific Real-time reliability-related task list, with the date of the last review
• R1.2 - Training materials
• R1.3 - System Operator training records showing the names of the people trained, the title of the training delivered, and the dates of delivery to show that it delivered the training
• R1.4 - Evidence (such as instructor observations, trainee feedback, supervisor feedback, course evaluations, learning assessments, or internal audit results) that it performed an evaluation of its training program
13
PER-005-2 Evidence
Each TO: • R2 - Evidence of using a systematic approach to develop and
implement a training program
• R2.1 - Methodology and its BES company-specific Real-time reliability-related task list, with the date of the last review
• R2.2 - Training materials
• R2.3 - Training records
• R2.4 - Evidence (such as instructor observations, trainee feedback, supervisor feedback, course evaluations, learning assessments, or internal audit results) that it performed an evaluation of its training program
14
PER-005-2 Evidence • R3 - Evidence to show that it verified the capabilities of each of its
personnel assigned to perform each of the BES company-specific Real-time reliability-related tasks.
– May be documents such as records showing capability to employee name and date; supervisor check sheets showing the employee name, date, and BES company-specific real-time reliability-related task completed; or the results of learning assessments.
• R4 - Training records that provide evidence that personnel identified in R1 or R2 completed training that includes the use of simulation technology
• R5 - Operations Support Personnel completed training in accordance with its systematic approach
• R6 - GOPs’ applicable personnel completed training in accordance with its systematic approach.
15
Dispersed Generation Resources
• The four standards that follow have each been updated to address treatment of dispersed power generation
• The NERC web page for Project 2014-01 Standards Applicability for Dispersed Generation Resources, and the associated white paper may be found here
16
PRC-004-3 Protection System Misoperation
Identification and Correction (Effective 7/1/16)
Link- PRC-004-3
17
Overview of Changes for PRC-004
• Version 3 and Version 4 were both approved with the same effective date – V4 will supersede V3
– V4 just changed one applicability statement
• New standard is a complete rewrite
• New Standard put time limits on everything
• Previous standard didn’t spell out “analysis of operations”
18
PRC-004-3 Applicability • Applicability-Add
• Underfrequency load shedding BES elements
• Applicability-Exclude • Non-protective functions within Protection System
• Protective functions intended to operate as a control function during switching
• Special Protection Systems (SPS)
• Remedial Action Schemes (RAS)
19
PRC-004-3 R1 • R1 – If you own a BES interrupting device, and it
operates- within 120 days you shall identify whether its Protection System component(s) caused a Misoperation
• Evidence may include: • Reports, emails
• Analyses of sequence of events
• Relay targets, test results
• Disturbance Monitoring Equipment (DME) records
20
PRC-004-3 R2 • R2 – If you own a BES interrupting device that
operates - within 120 days notification should be made to the other owners, if the Composite Protection System ownership is shared
• Evidence may include: • Emails
• Faxes
• Transmittals
21
PRC-004-3 Cont. • R3 – If you receive a notice pursuant to R2, you should
identify whether your Protection System component caused a Misoperation. This should happen within the later of 60 calendar days of notification or 120 calendar days of the operation.
• Evidence may include: • Reports, emails
• Analyses of sequence of events
• Relay targets, test results
• Disturbance Monitoring Equipment (DME) records 22
PRC-004-3 Cont. • R4 – If you identify a Misoperation occurred in R1 or
R3 and haven’t identified a cause, investigative actions must be performed at least once every two calendar quarters until: (1) Cause is found, or
(2) Declare that no cause was identified
• Evidence may include: • Reports, emails
• Analyses of sequence of events
• Relay targets, test results
• Disturbance Monitoring Equipment (DME) records 23
PRC-004-3 Cont. • R5 – If your Protection System component causes a
Misoperation, within 60 calendar days from identifying the cause: (1) Corrective Action Plan (CAP) must be developed and you must evaluate the plan’s applicability to other locations or
(2) Declare why corrective actions are beyond your control or would not improve BES reliability
• Evidence may include: • Corrective Action Plan and evaluation
• Declaration
24
PRC-004-3 Cont. • R6 – Implement each CAP developed in R5, and update
each CAP if actions or timetables change, until completed
• Evidence may include: • Records that CAP was implemented
• Revision history of CAPs with changes
25
PRC-004-4 Protection System Misoperation
Identification and Correction (Effective 7/1/16)
PRC-004-4
26
PRC-004-4 Dispersed Power Generation
Applicability - Exclude:
4.2.1.5 “Protection Systems of individual dispersed power producing resources identified under Inclusion I4 of the BES definition where the Misoperations affected an aggregate nameplate rating of less than or equal to 75 MVA of BES Facilities.”
27
PRC-005-3(i)/4 Protection System and Automatic Reclosing
Maintenance (Effective 4/1/16 & 10/1/16)
28
Overview of Changes for PRC-005
• PRC-005-3(i) adds Automatic Reclosing Maintenance
• PRC-005-4 adds Sudden Pressure Relay Maintenance
• PRC-005 is not applicable to dispersed generation resources below an aggregate of 75 MVA (same position as the dispersed generation resource white paper)
• The implementation plan established under PRC-005-2 remains unchanged except for the addition of Automatic Reclosing and Sudden Pressure Relays
29
PRC-005-3(i) Applicability to Dispersed Generation Resources
4.2.6.1 “Protection Systems for Facilities used in aggregating dispersed BES generation from the point where those resources aggregate to greater than 75 MVA to a common point of connection at 100kV or above.”
30
PRC-005-4 Applicability to Automatic Reclosing 4.2.6.1 “Automatic Reclosing applied on the terminals of Elements connected to the BES bus located at generating plant substations where the total installed gross generating plant capacity is greater than the gross capacity of the largest BES generating unit within the Balancing Authority Area or, if a member of a Reserve Sharing Group, the largest generating unit within the Reserve Sharing Group.” (see footnote 1 for exclusions)
For SPP BA, largest BES generating unit is ~1,200 MW
For other BAs (MISO; SWPA), applicability is based on the largest generating unit in that BA
31
PRC-005-4 Applicability to Automatic Reclosing, continued
4.2.6.2 “Automatic Reclosing applied on the terminals of all BES Elements at substations one bus away from generating plants specified in Section 4.2.6.1 when the substation is less than 10 circuit-miles from the generating plant substation.”
4.2.6.3 “Automatic Reclosing applied as an integral part of a RAS* specified in Section 4.2.4.”
32
* RAS or Remedial Action Scheme – formerly Special Protection Scheme (SPS). See NERC Glossary of Terms for definition of RAS.
PRC-005-4 Applicability to Sudden Pressure Relaying
4.2.1 “Protection Systems and Sudden Pressure Relaying that are installed for the purpose of detecting Faults on BES Elements (lines, buses, transformers, etc.)
33
PRC-005 Evidence
Evidence of maintenance within time based intervals may include but is not limited to dated:
• Maintenance records
• Maintenance summaries
• Check-off lists
• Inspection records
• Work orders
34
PRC-005-3(i) Implementation Plan for Automatic Reclosing
Maximum Maintenance
Interval
% Compliant By
6 calendar years 30% April 1, 2018 (36 months following regulatory approval)*
6 calendar years 60% April 1, 2020 (60 months following regulatory approval)
6 calendar years 100% April 1, 2022 (84 months following regulatory approval)
12 calendar years 30% April 1, 2020 (60 months following regulatory approval)
12 calendar years 60% April 1, 2024 (108 months following regulatory approval)
12 calendar years 100% April 1, 2028 (156 months following regulatory approval)
35
* Or, for generating plants with scheduled outage intervals exceeding three years, at the conclusion of the first succeeding maintenance outage.
PRC-005-4 Implementation Plan for Sudden Pressure Relays
Maximum Maintenance
Interval
% Compliant By
6 calendar years 30% October 1, 2018 (36 months following regulatory approval)*
6 calendar years 60% October 1, 2020 (60 months following regulatory approval)
6 calendar years 100% October 1, 2022 (84 months following regulatory approval)
12 calendar years 30% October 1, 2020 (60 months following regulatory approval)
12 calendar years 60% October 1, 2024 (108 months following regulatory approval)
12 calendar years 100% October 1, 2028 (156 months following regulatory approval)
36
* Or, for generating plants with scheduled outage intervals exceeding three years, at the conclusion of the first succeeding maintenance outage.
PRC-005 Links
• PRC-005-3(i)
• PRC-005-3(i) Implementation Plan
• NERC Standards Subject to Future Enforcement*
• PRC-005-4 Implementation Plan
• Project 2007-17.3*
• NERC Project 2014-01 Standards Applicability for Dispersed Generation Resources
37
* Check these NERC web pages for posting of PRC-005-4
NERC Project 2007-09 Generator Verification
The two standards that follow, PRC-019 and PRC-024, are new standards created under NERC Project 2007-09 … “to ensure that generators will not trip off-line during specified voltage and frequency excursions or as a result of improper coordination between generator protective relays and generator voltage regulator controls and limit functions”
38
PRC-019-1/2 Coordination of Generating
Unit, Voltage Regulating Controls, and Protection
(Effective 7/1/16)
39
PRC-019-1/2 Background
• PRC-019-1 was created under NERC Project 2007-09 Generator Verification
• The purpose is to verify coordination of generator (or plant) voltage regulator controls and limit functions
• PRC-019-2 is a minor change to address distributed generation resources
• PRC-019-2 becomes effective 7/1/2016
• Skip PRC-019-1 (use PRC-019-2)
40
PRC-019-2 Applicability
4.2.1 “Individual generating unit greater than 20 MVA (gross nameplate rating) directly connected to the Bulk Electric System.”
4.2.2 “Individual synchronous condenser greater than 20 MVA (gross nameplate rating) directly connected to the Bulk Electric System.”
4.2.3 “Generating plant/ Facility consisting of one or more units that are connected to the Bulk Electric System at a common bus with total generation greater than 75 MVA (gross aggregate nameplate rating).”
41
PRC-019-2 Applicability
4.2.3.1 “This includes individual generating units of the dispersed power producing resources identified through Inclusion I4 of the Bulk Electric System definition where voltage regulating control for the facility is performed solely at the individual generating unit of the dispersed power producing resources.”
[The Standards Drafting Team (SDT) clarified - facilities that solely regulate voltage at the individual generating unit are subject to the requirements.]
42
PRC-019-2 R1, R2
• At a maximum of every five calendar years (R1), and within 90 days following changes that will affect the coordination (R2), coordinate the voltage regulating system controls…
• Verify in-service limiters are set to operate before the Protection System … to avoid disconnecting the generator unnecessarily
• Verify Protection System devices are set to isolate equipment when operating conditions exceed equipment capability or stability limits
43
PRC-019-2 Evidence
M1. … “evidence (such as examples provided in PRC-019 Section G) that it coordinated the voltage regulating system controls, including in-service limiters and protection functions, with the applicable equipment capabilities and settings of the applicable Protection System devices and functions as specified in Requirement R1. This evidence should include dated documentation that demonstrates the coordination was performed.”
(See standard for M2)
44
PRC-019-2 P-Q Diagram
45
PRC-019 Links • PRC-019-1
• PRC-019-2
• PRC-019-1 Implementation Plan
• PRC-019-2 Implementation Plan
46
PRC-024-1/2 Generator Frequency and Voltage Protection Relay
Settings (Effective 7/1/16)
47
PRC-024-1/2 Background
• Applicable to Generator Owner
• PRC-024-1 was created under NERC Project 2007-09 Generator Verification
• The purpose is to ensure that generators remain connected during defined frequency and voltage excursions
• PRC-024-2 is a minor change to address distributed generation resources
• PRC-024-2 becomes effective 7/1/2016
• Skip PRC-024-1 (use PRC-024-2) 48
PRC-024-2 R1
Set overfrequency (ANSI 81O)* and underfrequency (ANSI 81U) trip relays such that the relaying does not trip the generator within the “no trip zone” of PRC-024 Attachment 1, subject to the following exceptions:
• Impending or loss of synchronism (out-of-step)
• Necessitated to clear a system fault
• Equipment limitations (within the “no trip zone”) documented and communicated in accordance with R3
49
* We have included these American National Standards Institute (ANSI) relay numbers for your information
PRC-024-2 R2
Set overvoltage (ANSI 59) and undervoltage (ANSI 27) trip relays such that the relaying does not trip the generator within the “no trip zone” of PRC-024 Attachment 2, subject to the following exceptions:
• Impending or loss of synchronism (out-of-step)
• Necessitated to clear a system fault
• Equipment limitations (within the “no trip zone”) documented and communicated in accordance with R3
• In accordance with a Special Protection System (SPS) or Remedial Action Scheme (RAS)
50
PRC-024-2 R3, R4
• R3: Document and communicate limitations to the Planning Coordinator (PC) and Transmission Planner (TP) within 30 days following any change in limitations (including removal of previous limitations)
• R4: Provide trip settings to the PC or TP within 60 days upon request (and within 60 days of any change if previously submitted to PC or TP)
51
PRC-024-2 Generator Frequency Protective Relaying
Footnote #2 [R1]:
• For frequency protective relays associated with dispersed power producing resources identified through Inclusion I4 of the BES definition, this requirement applies to frequency protective relays: – Applied on the individual generating unit of the
dispersed power resources
– Applied on equipment from the individual generating unit of the dispersed power producing resource up to the point of interconnection.
52
PRC-024-2 Generator Voltage Protective Relaying
Footnote #4 [R2]:
• For voltage protective relays associated with dispersed power producing resources identified through Inclusion I4 of the BES definition, this requirement applies to voltage protective relays: – Applied on the individual generating unit of the
dispersed power resources
– Applied on equipment from the individual generating unit of the dispersed power producing resource up to the point of interconnection
53
PRC-024-2 Rationale for Footnotes 2 and 4
• The point of the Standard is to keep generating units on-line and running during frequency or voltage excursions.
• Individual generators and aggregating equipment must be set to respect the “no-trip zone” referenced in the requirements.
54
PRC-024-2 Evidence
• M1. Each GO shall have evidence that generator frequency protective relays have been set in accordance with R1 such as: – Setting and calibration sheets
• M2. Each GO shall have evidence that generator voltage protective relays have been set in accordance with R2 such as: – Setting and calibration sheets – Voltage-time curves – Coordination plots – Dynamic simulation studies or other documentation.
• (See standard for M3 and M4)
55
PRC-024-2 Links
• PRC-024-2
• PRC-024-2 Implementation Plan
56
FOR REFERENCE
Webinar presented 8-6-15 on other new standards
57
Upcoming Standards
August 6, 2015 SPP RE Webinar
Greg Sorenson, Steven Keller SPP RE Staff
Overview
• CIP-014-2 (effective 10/1/15)
• COM-001-2 (effective 10/1/15)
• PRC-006-2 (effective 10/1/15)
• FAC-001-2 (effective 1/1/16)
• FAC-002-2 (effective 1/1/16)
• MOD-031-1 (effective 7/1/16)
59
CIP-014-2
• FERC directed NERC to develop a physical security standard on March 7, 2014
• The order requires a standard: – “to identify facilities on the Bulk-Power System that are
critical to the reliable operation of the Bulk-Power System. Then, owners or operators of those identified critical facilities should develop, validate and implement plans to protect against physical attacks that may compromise the operability or recovery of such facilities.”
• 90 days to submit standard to FERC
60
CIP-014-2
• Applicability: Transmission Operators
• Applicability: Transmission Owners that own: – 500 kV or higher Transmission Facilities
– 200 kV to 499 kV Transmission Facilities that meet the weighting table’s 3000 point threshold
– Transmission Facilities identified by the Reliability Coordinator, Planning Coordinator, or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs)
– Transmission Facilities identified as essential to meeting Nuclear Plant Interface Requirements
61
CIP-014-2 • First three requirements deal with:
• Risk assessment to identify in-scope assets
• Review of the risk assessment by an unaffiliated third-party reviewer
• Sharing of information with affected entities
• Three subsequent requirements deal specifically with physical security issues: • Evaluate potential threats and vulnerabilities
• Develop and implement a documented physical security plan
• Unaffiliated third-party review of the evaluation and corresponding security plan 62
CIP-014-2 • R1 must be complete by 10/01/15 • R2 shall be completed as follows:
– Parts 2.1, 2.2, and 2.4 shall be completed by 12/30/15 – Part 2.3 shall be completed within 60 calendar days of the
completion of performance under R2 part 2.2 • R3 shall be completed within 7 calendar days of completion of
performance under R2 • R4 and R5 shall be completed within 120 calendar days of
completion of performance under Requirement R2 • R6 shall be completed as follows:
– Parts 6.1, 6.2, and 6.4 shall be completed within 90 calendar days of completion of performance under R5
– Part 6.3 shall be completed within 60 calendar days of R6 part 6.2 63
CIP-014-2 Suggested Evidence
R1
– List of all BES stations/substations
– List of Transmission stations/substations planned in the next 24 months.
– List of Transmission stations/substations that meet criteria specified in Section 4.1.1
– Current and Prior R1 risk assessments
R2
– Dated evidence of third-party verification of entity’s risk assessment performed under R1
64
CIP-014-2 Suggested Evidence
R2
– Dated documentation of third-party verification and recommendations for addition or deletion, if any, including recommendations from third-party verifier or explicit statement from the third-party verifier that the verification was completed with no recommendations
R3
– If applicable, dated communications with TOP identified control centers as in scope for R4-R6
65
CIP-014-2 Suggested Evidence
R4
– List of all stations, substation, and control centers identified in R1-R3
– A description of the entity’s process for executing the evaluation prescribed in Requirement R4
– Dated threat and vulnerability assessment containing all components specified in Requirement R4. Threat and vulnerability assessments may be separate
documents provided they are used together to determine vulnerabilities
66
CIP-014-2 Suggested Evidence R5
– List of all stations, substation, and control centers identified in R1-R3
– Dated physical security plan(s) addressing all components of R5
– Evidence supporting implementation of measures identified in the physical security plan such as: training records
work orders
photographic evidence
visual verification
direct observations 67
CIP-014-2 Suggested Evidence R6
– Dated documentation of unaffiliated third-party dated review of entity’s R4 evaluation and R5 security plan(s)
– Dated documentation of unaffiliated third-party dated review of entity’s R4 evaluation and R5 security plan(s)
– Documentation of recommendations or statement indicating no recommendations
– Documentation of changes in response to recommendation(s) and/or rationale for declining recommended change(s)
68
COM-001-2
• Replaces COM-001-1 for voice communications
• Data communication will be covered by revised TOP standards filed at FERC (NOPR issued)
• New Applicable Registered Entities – Distribution Provider, Generator Operator
69
COM-001-2 Definitions
• Interpersonal Communication – Any medium that allows two or more individuals to interact, consult, or exchange information
• Alternate Interpersonal Communication – Any Interpersonal Communication that is able to serve as a substitute for, and does not utilize the same infrastructure (medium) as, Interpersonal Communication used for day-to-day operation.
• Caution: VoIP and email often rely on same infrastructure
70
COM-001-2
• R1 and R2 – RC must have primary and designate Alternate Interpersonal Communications with all internal TOPs, BAs, and adjacent RCs.
• R3 and R4 – Each TOP must have primary and designate Alternate Interpersonal Communications with the RC, BA, and all adjacent TOPs
• New R3 – Each TOP must have primary Interpersonal Communication with each DP and GOP – Are you sure phone list 100% complete?
71
COM-001-2
• R5 and R6 – Each BA must have primary and designate Alternate Interpersonal Communications for the RC, each TOP that operates facilities in that BA (metered boundaries), and adjacent BAs
• New R5 – each DP in its area, each GOP that operates facilities in its BA
• R7- Each DP shall have Interpersonal Communication with the TOP and BA
• R8- Each GOP shall have Interpersonal Communication with the TOP and BA
72
COM-001-2 Evidence examples
R1 through R8
• Physical installation
• Equipment specifications, test records, voice recordings, electronic communications
73
COM-001-2
• R9 – Each TOP, BA, and RC shall test its Alternate Interpersonal Communication each calendar month – If failed, have 2 hours to initiate action to repair or
designate replacement
• R10 – If primary Interpersonal Communication failed, 60 minutes to notify entities in R1, R3, R5 of detection if it lasts 30 minutes or longer. - When does 60 minutes begin?
• R11 – Each DP and GOP detecting a failure should consult with affected parties and agree on restoration plan
74
COM-001-2 Evidence examples
• Phone test records, log entries
• Ensure action taken to initiate repair within 2 hours
• Clear notification of others within 60 minutes – If many others may need to start this process before 59
minutes
– Starts when the detection occurs (not after the 30 minutes)
• For DPs and GOPs, ensure communication and agreed upon plan is documented (or recorded)
75
COM-001-2 Data Retention Requirements
• Written Documentation – – 12 calendar months
• Voice recordings – Last 90 days
76
PRC-006-2
• Only changes to R9, R10, and a new R15
• R9 – “Each UFLS entity shall provide automatic tripping of Load in accordance with the UFLS program design and schedule for implementation, including any Corrective Action Plan, as determined by its Planning Coordinator in each PC area in which it owns assets” – UFLS Entity must implement Corrective Action Plans
– PC could develop a Corrective Action Plan as a result of a study or an event
77
PRC-006-2
• R10 – “Each TO shall provide automatic switching of its existing capacitor banks, Transmission Lines, and reactors to control over-voltage as a result of underfrequency load shedding if required by the UFLS program and schedule for implementation, including any Corrective Action Plan, as determined by the PC in each PC area in which the TO owns transmission.” – Ensures that any voltage issues are addressed
– PC develops Corrective Action Plans based on a study or an event
78
PRC-006-2 Evidence
• Relays properly set to the PC’s UFLS plan
• Relay setting printouts
• UFLS relay tests, etc.
• Switching scheme logic or plans
• Making changes within the implementation plan as specified by the PC
79
PRC-006-2
• R15: If PC conducts a design assessment and determines that performance criteria not met: – If a 5 year assessment is performed, assessment should
include the Corrective Action Plan and a schedule for implementation (implementation may take longer)
– If a post-event assessment is performed, Corrective Action Plan developed within 2 years
• PC develops the schedule; UFLS entities must follow it
80
FAC-001-2
• TOs must all have Facility Interconnection requirements
• GOs with executed agreements must develop Facility Interconnection requirements within 45 days
• New standard has simpler list of requirements (R3)
• Procedures for coordinated studies of new or materially modified existing interconnections and their impacts on affected systems
• Procedures for notifying those responsible for the reliability of affected systems of new or materially modified existing interconnections
81
FAC-002-2
• R1- Same new “material modification” discussion
• R1- Each TP and each PC – – SPP RE expects both parties approve if a coordinated
study is done
• GOs, TOs, and DPs must have evidence of coordination with the TP and PC (for example, provided needed data and modeling information)
• GOs have an explicit requirement to ensure studies done before adding to its facilities.
82
MOD-031-1 Glossary Term Revisions
• Demand Side Management – All activities or programs undertaken by any applicable
entity to achieve a reduction in Demand.
• Total Internal Demand – The Demand of a metered system, which includes the
Firm Demand, plus any controllable and dispatchable DSM Load and the Load due to the energy losses incurred within the boundary of the metered system.
83
MOD-031-1
• Combined the following standards – MOD-016-1.1
– MOD-017-0.1
– MOD-018-0
– MOD-019-0.1
– MOD-020-0 MOD-020-0 was removed as it was identified as dealing with
the operational time frame and should not be addressed with the other standards since they were applicable to the planning horizon
– MOD-021-1 84
MOD-031-1 Applicable Entities
• Planning Authority and Planning Coordinator (hereafter collectively referred to as the “Planning Coordinator”)
• Transmission Planner
• Resource Planner
• Balancing Authority
• Load-Serving Entity
• Distribution Provider
85
MOD-031-1 Overview of Requirements
• R1- Planning Coordinator or Balancing Authority that identifies need for model data shall: – Issue data request to applicable entities in its area
– R1.1 – 1.5.5 details of data requested and timeline to provide
• Evidence - dated data request from PC or BA
86
MOD-031-1 Overview of Requirements
• R2- Each Applicable Entity identified in R1 provide data in accordance with R1 specifications and timeframe – Evidence - dated transmittal to PC or BA
• R3- Planning Coordinator or Balancing Authority provide data collected under R2 to applicable Regional Entity within 75 days of request – Evidence - dated transmittal to RE within time frame of
R3
87
MOD-031-1 Requesting Data
• R4 – “Any Applicable Entity shall, in response to a written request for the data included in parts 1.3-1.5 of Requirement R1 from a Planning Coordinator, Balancing Authority, Transmission Planner or Resource Planner with a demonstrated need for such data in order to conduct reliability assessments of the Bulk Electric System, provide or otherwise make available that data to the requesting entity…” – This is a change and allows more access to data by the
industry
– Timeframe of 45 days to provide data
– R4.1 provision to not provide data 88
MOD-031 Summary
• Provides PC and TP the authority to collect actual Demand and Demand Side Management
• Ensures historical and forecasted demand and energy information, forecasts, and assumptions are available to the parties that perform reliability studies/assessments
• Compares historical and forecasted Demand
• Consistent documentation and information sharing activities
• Supports effective planning practices to correctly identify needed system upgrades
89
• Please feel free to ask…
Greg Sorenson Senior Compliance Engineer 501-688-1713 [email protected]
Steven Keller Lead Compliance Specialist-CIP 501-688-1633 [email protected]
Questions
90
2016 Implementation Plan
September 29, 2015
Jeremy Withers, Senior Compliance Specialist [email protected] 501.688.1676 Jim Williams, Lead Compliance Specialist [email protected] 501.614.3261
IMPLEMENTATION PLAN HIGHLIGHTS
2
What is the CMEP Implementation Plan?
• Electric Reliability Organization (ERO) Compliance Monitoring and Enforcement Program Implementation Plan (IP) is the annual operating plan
• In 2014, NERC began to consolidate the IP with the Regional Entities as Appendices
• SPP RE is Appendix A6
3
ERO Implementation Plan
• NERC is responsible for collecting and reviewing the RE’s IPs
• During the implementation year, NERC or an RE may update the IP
4
Appendix A6 – SPP RE 2016 Highlights • Staffing - Two open positions, reduced enforcement
staff, filled CIP Compliance Specialist position in 2015
• Inherent Risk Assessments (IRA) schedule – SPP RE completed 24 IRAs for Registered Entities on 2015
audit schedule
– By the end of 2015, SPP RE will complete IRAs for Registered Entities on 2016 schedule
– By the end of 2016, SPP RE will complete IRAs for remaining Registered Entities
• CIP monitoring will focus on Registered Entities with high and medium impact BES Cyber Systems
• SPP RE CIP staff will continue CIP V5 outreach 5
Appendix A6 – SPP RE 2016 Highlights
• Security Reliability Program will transition from NERC to REs
• Periodic data submittals still required
• SPP RE has identified Self-Certification requirements on either a quarterly or annual basis
6
Appendix A6 – SPP RE 2016 Highlights
• SPP RE will continue to engage Registered Entities that request: – Internal Control Evaluations (ICE)
In conjunction with a monitoring activity
Outside a scheduled monitoring activity
– Self-Logging
A Registered Entity assessment will be performed before granting the ability to self-log
7
Coordinated Oversight
• Registered Entities that are registered in multiple regions are called Multi-Region Registered Entities (MRREs) - MRREs may not have the same NCR number but could be under
the same parent company
• MRREs may request to be in the Coordinated Oversight Program
• The “affected” or associated REs will select a Lead RE to implement the MRRE’s compliance program
• SPP RE is the Lead RE for three MRREs
• SPP RE is the Affected RE for 10 other MRREs
8
ERO RELIABILITY ASSESSMENT
9
ERO Reliability Assessment
Regional Reliability
Assessment
Registered Entity Assessment/ Monitoring
Scope
Risk-Based Compliance Oversight
• In 2016, risk-based compliance oversight framework will continue
• Focuses on identifying, prioritizing, and addressing BPS risks
• SPP RE is responsible for assessing Registered Entities’ risks through IRA and tailoring monitoring activities:
– Monitoring method (Audit, Spot-Check or Self-Certifications)
– Frequency
– Scope
10
Risk-Based Compliance Oversight Framework
11
Identify the Risk Elements that are applicable to the Registered Entity to determine the initial monitoring scope
Development of Risk Elements • NERC identified risk elements by using data including but
not limited to: – Compliance findings
– Event analysis
– Data analysis
– Expert judgement of NERC, RE staff, and committees
• SPP RE developed RE-specific risk elements by using:
– Compliance findings in SPP RE footprint
– Regional system events
– SPP RE staff’s professional judgement
12
13
Critical Comparison of 2015 and 2016 ERO Risk Elements
2015 Risk Elements 2016 Risk Elements
Cyber Security Critical Infrastructure Protection Extreme Physical Events Extreme Physical Events
Infrastructure Maintenance Maintenance and Management of BPS Assets Monitoring and Situational Awareness Monitoring and Situational Awareness
Protection System Misoperations Protection System Failures
Uncoordinated Protection Systems
Long Term Planning and System Analysis Event Response/Recovery
Planning and System Analysis Human Error Human Performance
Workforce Capability (N/A for 2016)
2016 ERO Risk Elements
14
Critical Infrastructure Protection Standard Requirements Functions Asset Type
CIP-002-5.1 R1, R2 BA, GOP, GO, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers, Substations, Generation Facilities
CIP-005-5 R1, R2 BA, GOP, GO, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers, Substations, Generation Facilities
CIP-006-5 R1, R2, R3 BA, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers, Substations
CIP-007-5 R1,R2, R3, R5 BA, RC, TOP, TO Control Centers, Backup Control Centers, Data Centers
2016 ERO Risk Elements
15
Extreme Physical Events
Standard Requirements Functions
EOP-010-1 R1, R3 RC, TOP
CIP-014-2 R1, R2 TO
Maintenance and Management of BPS Assets
Standard Requirements Functions
FAC-008-3 R6 GO, TO
PRC-005-2(i) R3, R4, R5 DP, GO, TO
2016 ERO Risk Elements
16
Monitoring and Situational Awareness
Standard Requirements Functions
IRO-005-3.1a R1, R2 RC
TOP-006-2 R1, R2, R7 BA, RC, TOP
Protection System Failures
Standard Requirements Functions
PRC-001-1.1(ii) R3, R4, R5 GOP, TOP
PRC-004-2.1(i) R1, R2 DP, GO, TO
2016 ERO Risk Elements
17
Event Response/Recovery
Standard Requirements Functions
EOP-001-2.1b R1, R2, R3 BA, TOP
TOP-007-0 R1, R2, R3, R4 RC, TOP
Human Performance
Standard Requirements Functions
COM-002-2 R2 RC, TOP, BA
PER-005-1 R2, R3 RC, TOP, BA
2016 ERO Risk Elements
18
Planning and System Analysis
Standard Requirements Functions
EOP-002-3.1 R4 BA
TPL-001-4 R1, R2, R3, R4 PC, TP
FAC-014-2 R1, R5 RC, TOP
SPP RE ASSESSMENT
19
ERO Reliability Assessment
Regional Reliability
Assessment
Registered Entity Assessment/ Monitoring
Scope
SPP RE Regional Monitoring Scope Plan
• SPP RE developed a 2016 Monitoring Scope Plan that identifies risk elements in SPP RE footprint
1. Facility Ratings
2. Restoration
3. Frequency Response
4. Voltage Support
5. Operational Planning
6. New Standards for 2016
7. Critical Infrastructure Protection
20
SPP RE Ops & Planning Risk Elements
21
Standards Requirements Applicable Functions
SPP RE Risk Element Justification
BAL-003-1 R1 BA Frequency Response Frequency Response, New Standard
COM-001-2 R3, R9 TOP New Standard New Standard October 2015 - Communication
COM-002-4 R1, R5, R6 BA, RC, TOP New Standard New Standard July 2016 - Human Performance
EOP-005-2 R6, R10 TOP Restoration Verify restoration plans EOP-008-1 R4 BA, TOP Restoration Backup site functionality FAC-008-3 R1, R2, R3 GO Facility Ratings Facility Ratings
PER-005-2 R3, R4 RC, TOP, BA, TO New Standard New Standard July 2016 – Human Performance
PRC-004-4 R1, R2 DP, GO, TO New Standard New Standard July 2016 - Protection System
PRC-005-1.1b R1, R2 DP, GO, TO Maintenance Dual Program with PRC-005-2(i) PRC-005-2(i) R1 DP, GO, TO Maintenance Underlying program for R3, R4
PRC-005-3(i) R1, R3, R4, R5 DP, GO, TO New Standard New Standard April 2016 - Maintenance
PRC-006-2 R8, R9 TO, DP Frequency Response UFLS
TOP-002-2.1b R6, R11, R19 TOP Operations Planning Situational Awareness
VAR-001-4 R2 TOP Operations Planning Situational Awareness
VAR-002-4 R1, R2 GOP Voltage Support AVR
Expanded ERO Risk Elements
22
Planning and System Analysis
Standard Requirements Functions
PRC-005-1.1b R1, R2 Maintenance and Management of BPS Assets
SPP RE Risk Elements
23
SPP RE CIP Risk Elements Standards and Requirements
Standard Requirements Applicable Functions
SPP RE Risk Element Justification
CIP-007-5 R4 BA, DP, GOP, GO, RC, TOP, TO
Critical Infrastructure
Protection
Essential to detecting and mitigating a possible compromise of a High or Medium Impact BES
Cyber Asset/System
CIP-010-1 R2 BA, DP, GOP, GO, RC, TOP, TO
Critical Infrastructure
Protection
Essential to detecting and responding to a Cyber Security
Incident involving a High or Medium Impact BES Cyber
System
CIP-008-5 R1 BA, DP, GOP, GO, RC, TOP, TO
Critical Infrastructure
Protection
Essential to detecting and mitigating a possible compromise
of a High Impact BES Cyber Asset/System
• Monitoring methods will be determined by the Inherent Risk Assessment – On-site audits for Transmission Operators (TOPs) and
Balancing Authorities (BAs) on 3-year cycle
– Ops & Planning will conduct off-site audits or Spot Checks for non-BA/TOP entities
– Non-BA/TOP Registered Entities that had an audit in 2010 or registered within the last two years.
• CIP will not conduct audits for Registered Entities with low impact BES Cyber Systems
2016 SPP RE Monitoring Method and Frequency
24
2016 SPP RE Monitoring Tools
• Self-Certification SPP RE will continue to require Registered Entities to
perform a Self-Certification to ensure compliance with Reliability Standards
2016 NERC IP has not identified Reliability Standards and requirements that require Self-Certification
SPP RE has identified requirements based on the Scope Plan
Self- certification will be conducted using webCDMS
Coordinated Oversight Registered Entities will follow the Lead Region’s IP
25
2016 SPP RE Monitoring Tools
• Periodic data submittal 2016 NERC IP does not identify requirements that
require periodic data submittals
SPP RE does identify requirements that require periodic data submittal requirements
SPP RE, SPP RTO, Lead Region, and MISO will collect them on a monthly, quarterly, or annual basis
26
REGISTERED ENTITY ASSESSMENT & MONITORING SCOPE
27
ERO Reliability Assessment
Regional Reliability
Assessment
Registered Entity Assessment/
Monitoring Scope
Inherent Risk Assessment
28
jim
NERC developed Inherent Risk Assessment (IRA) Guide and Internal Control Evaluation (ICE) Guide
SPP RE Inherent Risk Assessment • To develop the monitoring scope, SPP RE will perform
IRAs for Registered Entities scheduled for 2016 monitoring
• The assessment criteria will review Registered Entity’s Risk Factors:
29
Risk Factors Risk Factor Attributes Registration Registered Functions
Geography/ Climate Terrain Vegetation Management Applicable facilities
Load and Generation Peak Load, Total Generation, Control Centers, Customers ….
Transmission Voltage, Length over 100kV, Interconnections, Flowgates, SPS, UFLS….
History (Audit period) Previous Violations Events EEA's, Events Reported…
Blackstart General System Restoration, Blackstart Generation, Cranking Path…
SCADA Environment SCADA/EMS, ICCP Association, PSP and ESP Access…
Inherent Risk Assessment
30
Compliance Oversight Plan The entity assessment of Acme Power Company was performed to identify the monitoring and scope of the compliance engagement for 2016. The assessment of the attributes identified the levels of risk for the entity to the BES and the Regional Entity’s footprint. SPP RE determined that an on-site audit of Acme Power Company will be conducted on May 9 – 12, 2016 in accordance with NERC Rules of Procedure, 403.11. The engagement scope is based on the Risk Elements from the NERC 2015 Implementation Plan and the 2015 SPP RE Audit Scope Document applicable to the entity’s registered functions. SPP RE evaluated 35 risk attributes from the ERO Enterprise Inherent Risk Assessment Guide. The results were nine (9) high risk, eleven (11) moderate risk, twelve (12) low risks, and three (3) not applicable. The monitoring scope includes 30 standards with 70 requirements, see Attachment 1.
Monitoring Method Date Frequency of IRA Next Monitoring O&P/CIP Audit May 9, 2016 Audit 3 year cycle May 2019
Inherent Risk Assessment
31
• Registration – Registered functions, identify the entity’s RC, BA, TOP…
• JRO/CFRs – What function, requirements and responsible entity
• Compliance History – Previous violations, discovery method, mitigated
• Technical Assessment – Risk factors, transmission and generation
• CIP Data – SCADA, workstations
• Technical Feasibility Exceptions – Requirements, current status, devices
• Internal Control Evaluation Performed - Std/Req, date, control implementation
• Monitoring Scope – Attachment 1
• Reference Documents – Risk Assessment Questionnaire, previous audit
reports, self-certifications
• Event Review – summary of event
• Enforcement Mitigation Assessment – Mitigation milestones
• Registered Entity Assessment Revision History
Inherent Risk Assessment – Technical Assessment
32
Inherent Risk Assessment
33
Internal Controls Evaluation
34
Internal Control Evaluation (ICE)
• NERC has posted an ICE Guide
• ICE is a voluntary program
• Registered Entities may elect to have their internal controls evaluated
• If a Registered Entity elects not to participate in ICE or doesn’t have internal controls, SPP RE will monitor per usual
• If an ICE is performed, the ICE will not change the audit scope but could impact audit fieldwork
35
Key Points for 2016 • Monitoring scope will continue to include a review of
all mitigation plans open during audit period
• SPP RE will determine Registered Entity’s scope based on: – ERO-wide Risk Elements
– SPP RE Risk Elements
– SPP RE Registered Entity IRA
– SPP RE staff’s professional judgment
36
Audit Scope Expansion • Compliance team may expand scope during
monitoring activities based on: – Team’s professional judgment
– Discovery of non-compliance during evidence review
• Will notify Registered Entity of an expansion in scope as soon as possible
37
Registered Entities are responsible for compliance with all enforceable Reliability Standards and Requirements in
effect per their registered function at all times, regardless of what a Registered Entity’s risk profile may indicate.
38
2016 Monitoring Schedule – O & P
39
NCR Number Entity Name Type of Audit
NCR01061 Board Of Public Utilities (Kansas City KS) (BPU) On-Site NCR11407 Buffalo Dunes Wind Project, LLC (BDWP) Off-Site NCR11354 Canadian Hills Wind, LLC (CHW) Off-Site NCR01067 Carthage Water & Electric Plant (CAWEP) Off-Site NCR06033 City Of Abbeville (ABBEVLA) Off-Site NCR01071 City Of Clarksdale, Mississippi (CCM) Off-Site NCR06034 City Of Minden (MINDENLA) Off-Site NCR01083 Cleco Corporation (CLECO) On-Site NCR01092 Eastman Cogeneration Limited Partnership (EASTMAN) Off-Site NCR11314 Flat Ridge 2 Wind Energy LLC Off-Site NCR01072 Independence Power & Light (Independence,Missouri) (INDN) On-Site NCR11329 KODE Novus Wind I, LLC Off-Site NCR06050 Mississippi Delta Energy Agency (MISSDEA) Off-Site NCR11264 Post Rock Wind Power Project, LLC Off-Site NCR01139 Public Service Commission Of Yazoo City (YAZO) Off-Site NCR06010 Rayburn Country Electric Cooperative, Inc. (RCEC) Off-Site NCR11322 Spearville 3, LLC (SPEAR3) Off-Site NCR11323 Spinning Spur Wind, LLC (SPINSPUR) Off-Site NCR00658 Westar Energy, Inc. (WR) On-Site
2016 Monitoring Schedule - CIP
40
NCR Number Entity Name Type of Audit
NCR00658 Westar Energy, Inc. (WR) On-Site NCR01114 Lafayette Utilities System (LAFA) On-Site NCR01116 Louisiana Energy & Power Authority (LEPA) On-Site NCR06048 Lubbock Power And Light (LPLTX) On-Site NCR01148 Sunflower Electric Power Corporation (SECI) On-Site NCR01155 The Empire District Electric Company (EDE) On-Site NCR01083 Cleco Corporation (CLECO) On-Site NCR01118 Midwest Energy, Inc. (MIDW) On-Site
SPP RE Documents
• SPP.org>Regional Entity>Compliance & Enforcement> 2016 Compliance Program folder will be populated with relevant documents: - Monitoring schedules
- 2016 Reporting Requirements
- 2016 Monitoring Scope Plan
- Registered Entity Risk Assessment Questionnaire
* When the new SPP.org launches this fall, SPP.org links will change
41
Reference Documents • NERC.com Compliance Resources page
• SPP.org > Regional Entity > Risk Based Compliance Monitoring and Enforcement for more info on ICE, IRA, Self-Logging, etc.
42
43
Jeremy Withers, Senior Compliance Specialist [email protected] 501.688.1676 James Williams, Lead Compliance Specialist [email protected] 501.614.3261
Internal Controls
Tiffany Lake – WESTAR Terri Pyle – OG&E
Jim Nail - IPL
Compliance – • a: the act or process of complying to a desire,
demand, proposal, or regimen or to coercion • b : conformity in fulfilling official
requirements (Merriam Webster definition) In other words…… …..the things we do to fulfill the Requirements of
the NERC Standards.
Internal Controls – systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to ….deter and detect errors….ensure accuracy and completeness of its data…..and ensure adherence to its policies and plans. (Business Dictionary.com)
In other words…. Internal Controls are those additional things we do to
ensure our Compliance activities • Get Done On Time • Get Done Correctly • Get Documented Properly
Internal Controls come in many shapes and sizes • Processes and Procedures • Checklists • Spreadsheets • Calendar/Email reminders • Training and Qualification
SPP RE FALL COMPLIANCE WORKSHOP
Westar Energy’s Approach to Internal Controls • Traditional vs. Risk-Based Compliance Approach • What is the impact to Westar Energy? • Roles and Responsibilities • Assessing Process-Level Risks • Identifying Internal Controls
6
NERC 693 COMPLIANCE WORKSHOP
Transition to Risk-Based Compliance
7
Traditional Approach
• Review all applicable standards every year • Collect evidence • Conduct testing • Update RSAWs
Risk-Based Compliance
• Review higher risk standards • Utilize internal risk assessment
results • Collect evidence • Conduct testing
• Conduct process-reviews • Identify and prioritize process-
level risk • Identify and document internal
controls • Perform gap analysis
NERC 693 COMPLIANCE WORKSHOP
How does Risk-Based Compliance Impact Westar?
• Focus resources on higher risk areas
• Positive effect on reliability
• Better internal controls and management processes
• Incorporate 2015 lessons learned into 2016 work plan
• CIP Audit – April 2016
• 693 Audit – November 2016
8
SPP RE FALL COMPLIANCE WORKSHOP
Roles and Responsibilities
9
Internal Audit
NERC Compliance
Business Units
SPP RE FALL COMPLIANCE WORKSHOP
Assessing Process-Level Risks
• Review reliability-related processes • Misoperations • Transmission Vegetation Management
• Identify process-level risks • Perform a risk assessment • Document risks
10
SPP RE FALL COMPLIANCE WORKSHOP
Identifying Internal Controls
• Identify and document existing internal controls • Perform a gap assessment • Implement internal controls where necessary
11
SPP RE FALL COMPLIANCE WORKSHOP
Tiffany Lake Manager, NERC Reliability (785) 575-8193 [email protected]
12
OG&E
OG&E Approach
• OG&E Compliance Progression • Risk-Based Approach
– Risk Assessment – Process Review & Mapping – Internal Controls
• Documenting Internal Controls • Current Focus Areas • Benefits • Examples
14
OG&E Compliance Process Progression
• Foundation - Compliance Management Program – Compliance Management Tool - Define compliance,
Collect evidence, Update RSAWs
• Compliance Assurance Process (CAP) – Procedures, Process Flow Charts, Trained SMEs,
Documented Evidence, RACIs, Controls
• Risk-Based Approach – Documented risk assessment – emphasis on higher risk
areas – In depth process review and mapping – Identify and document new internal controls
OG&E
Risk Assessment Considerations • NERC Risk Elements • SPP Risk Elements • Top 10 Most Violated Standards • Standard VRFs • Audit and Self-Certification Lists • NERC Projects – pending Standards • Past OG&E Compliance History • Compliance Assurance Process (CAP) Score • Other
OG&E
Process Review and Mapping
• Process Mapping – Detailed review with process owners – Understand how work is done – Incorporate compliance requirements – Identify touch points within processes
• Business groups • NERC Standards
– Include controls already in place – Identify weak areas in the process and develop new
controls
OG&E
Internal Controls • Level
– Entity – Process – Compliance assurance
• Type – Preventive – Detective – Corrective
• Application – Automated – Manual – Hybrid
• Frequency – Daily – Weekly – Monthly – Quarterly – Annually
OG&E
Documenting Internal Controls
OGE Internal Controls Spreadsheet - CIP
Standard Req. NERC Risk Element
SPP Risk Element
OGE Risk Ranking (High, Medium, Low) Requirement Text Internal
Control ID Control Title Control Area Internal Control Description Goal of Controls
Control Type (Preventative,
Detective, Corrective)
Control Application (Automated,
Manual, Hybrid)
Control Frequency (e.g. real-time, daily, monthly,
quarterly, annual, etc.)Control Owner
• Start with what you have • Review processes to identify new controls
• Consider process mapping as a tool
OG&E
Current Focus Areas
OPS (693) – Facility Ratings – Operations Personnel Training – Misoperations
CIP – Recovery Plans – Change Management
OG&E
Benefits
• Better understanding of internal processes • Improved processes • Better defined roles and responsibilities • Improved compliance assurance • Improved reliability
OG&E
• Municipal Utility • Registrations:
TO/TOP/GO/GOP/TP/RP/DP/LSE • 26 miles of 161KV Transmission • 4 BES Substations • 1 BES Generation asset
Risk Assessment
• IPL system design very stable • Maintenance program effective • Program documents stable • System events very rare
• Biggest risk is Awareness
Approach to Internal Controls
• Management focused – Lead Team, Reliability Team, CIP Team
• Monthly meetings with division managers and primary SMEs
• Develop tools (spreadsheets, checklists, procedures) to help supervisors monitor performance of compliance activities
Examples
CMT: Compliance Event Form
OG&E
CMT: Compliance Event Modification Form
OG&E
PER-005-1: Checklist for New Tasks or Identified Task Modifications
OG&E
PER-005-1: Review and Management of Training Process
OG&E
Facility Ratings Process Map and Standard Touchpoints
OG&E
Other Internal Control Examples
• Monthly CIP Team Meetings – Review changes that could impact CIP compliance
• Monthly Blackstart Restoration Calls – Review system changes that could impact plan
• Flowgate application in SCADA EMS – Displays permanent and temporary flowgates and
alerts • Anti-virus software with automated removal
and alerting
Questions?
Mitigation Expectations Simran Ahuja, NERC Senior Compliance Enforcement Analyst SPP RE 2015 Fall Workshop September 30, 2015
RELIABILITY | ACCOUNTABILITY 2
Goals
Mitigation
Prevention
Root Cause
RELIABILITY | ACCOUNTABILITY 3
• Noncompliance processed in accordance with the risk to the BPS • Formal Mitigation Plans are not required in all circumstances
Risk-based CMEP
Complete Reporting
Efficient Mitigation
Risk Reduced Quickly
RELIABILITY | ACCOUNTABILITY 4
Registered Entity
Regional Entity
NERC
FERC
Process Flow
RELIABILITY | ACCOUNTABILITY 5
Collaboration
RELIABILITY | ACCOUNTABILITY 6
Section 6.0 of CMEP
• Point of Contact • Scope and description • Cause of violation • Action plan
Contents
RELIABILITY | ACCOUNTABILITY 7
• Prevention of recurrence • Expected completion date • Interim risk reduction • Prevention of future risk
Contents Contd.
RELIABILITY | ACCOUNTABILITY 8
• May be submitted anytime • Sooner fixed sooner completed • Shall be submitted within 30 days of NAVAPS
Submittal
RELIABILITY | ACCOUNTABILITY 9
• Acceptable for any disposition track • FFTs and Compliance Exceptions with ongoing mitigation
activities - complete within 12 months from date of posting
Mitigation Activities
RELIABILITY | ACCOUNTABILITY 10
• Facts and circumstances • Standard and Requirement • Discovery method • Define scope • Root Cause
Scope and Root Cause
RELIABILITY | ACCOUNTABILITY 11
• Address instant issue • Address root cause
Corrective Actions
Primary focus to correct issue and restore compliance
RELIABILITY | ACCOUNTABILITY 12
• Procedural and technical internal controls • Detective controls • Example - Updating procedures and training on new procedures
Preventive Actions
Lessens the likelihood of violating same Standard and Requirement again
RELIABILITY | ACCOUNTABILITY 13
• Timetable for completion • If expected completion date is > 3 months from date of
submittal, then set milestones at least every 3 months • Request for extension • Submit at least 5 business days before the original milestone or
completion date
Milestones and Timetable
Communication!
RELIABILITY | ACCOUNTABILITY 14
• Expected Completion Date When all Corrective Actions including any milestones will be completed End of noncompliance vs. mitigation completion date Duration may affect penalty calculation Prevention of recurrence vs. above and beyond
Milestones and Timetable Contd.
RELIABILITY | ACCOUNTABILITY 15
• Critical for plans with longer durations • Risks to the BPS while mitigation is in progress • Actions should prevent or minimize risk to BPS
Interim and Future Risk
RELIABILITY | ACCOUNTABILITY 16
• RE reviews within 30 days from receipt • Issue written statement accepting/rejecting Otherwise deemed accepted
• Notify registered entity and NERC – accepted/rejected/extended
• Accepted Mitigation Plan to NERC within 5 business days
Regional Entity Review and Acceptance
RELIABILITY | ACCOUNTABILITY 17
• NERC reviews within 30 days from receipt • Issue written statement approving/rejecting Otherwise deemed approved
• Notify registered entity and RE – approved/rejected/extended • Approved Mitigation Plan to FERC as non-public information
within 7 business days
NERC Review and Approval
RELIABILITY | ACCOUNTABILITY 18
• Update RE on milestones and progress of Mitigation Plans • Provide certification of completion to RE • Signed by an officer, employee, attorney, or other authorized
representative • Include data or information sufficient to verify completion Examples o Training records, change management records, revised procedures,
testing and maintenance records, patch assessment records, screenshots, list of users/access list
Completion
RELIABILITY | ACCOUNTABILITY 19
Mitigation Plan Checklist
ERO Mitigation Plan Guide - Checklist
RELIABILITY | ACCOUNTABILITY 20
• ERO Mitigation Plan Guide - April 2014 Revision to be completed by end of year
• Appendix 4C to the Rules of Procedure – Compliance Monitoring and Enforcement Program
References
RELIABILITY | ACCOUNTABILITY 21
Corrects issue to protect the reliability of the BPS
Bonus: The sooner you fix it, the sooner you can be done with it!
Conclusion
Thorough mitigation
Timely mitigation
Faster disposition
and processing
RELIABILITY | ACCOUNTABILITY 22
General Manager’s Report
Sept. 30, 2015 Dallas, TX
Ron Ciesiel SPP RE General Manager
SPP RE Violations By Year
2
2014-2015 YTD - Violation Dispositions
3
Winter Event Data Request
• FERC asked four REs to submit responses to questions concerning winter performance for Jan 7-9 and Feb 15-20, 2015
- Response due 9/29/15
• SPP did not have any hour exceeding 1,710 MW of outages
• Median MW outages of both time periods did not exceed 918 MW per hour
• Majority of outages due to natural gas curtailment
• Only two units experienced outages that previously experienced outages during the 2014 polar vortex
4
Total SPP RE Events for 2015 • Nine Events
- Four events reached Category 1 status
- One event reached Category 2 status
- Four did not reach “Category” status and were not analyzed via the Events Analysis process
5
SPP RE Regional Events 3Q (through 9-21)
• One category 2b. Complete loss of monitoring or control, at a control center for 30 min.
SPP RE Misoperation Report as of Q2-15
50 YEAR ANNIVERSARY
THE 1965 NORTHEAST BLACKOUT
DAVE CHRISTIANO
SPP RE
WHAT YOU KNOW…
• First big one of them all • Long lasting impacts
• Led to formation of NERC • Led to legend…
“Where were you when the lights went out?” • Led to a baby boom
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 3
WHAT YOU MAYBE DIDN’T KNOW…
• Similar initiating incident as in 2003 blackout • Similar flow results as in 2003 blackout • The “first” real regional blackout occurred in the
Missouri Basin Area in January 1965
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 4
SETTING THE STAGE (1)
• During and post-war boom in industrial growth and electricity demand
• Economies of scale and tech advancements reducing cost of electricity – lowest in 1970
• Emphasis on reliability not economics - interconnections
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 5
SETTING THE STAGE (2)
• Mostly pre-computer age (IBM 360 first delivered in 1965, 8-64k) • SCADA primitive, mostly analog • Nothing close to “real time” data sharing
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 6
SETTING THE STAGE (3)
• No formal interconnection coordination • Interconnected Systems Group • NAPSIC - 1963
• Operating Guide 9 – Action in Emergency (1964) (all of one page long; ironically approved in Niagara Falls)
• Niagara Falls development • AC/DC battles • About 4500 MW installed at Beck (Ontario) and Moses (NY)
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 7
SETTING THE STAGE (4)
• Relays all analog; requiring frequent maintenance • Underfrequency relaying limited to tie lines, generators
• No underfrequency load shedding
• 1951 – Overcurrent backup relays installed at Beck • 1963 - Relays reset to “broaden their protection”
(375 MW setting ; less than line rating) • Operators were unaware of this setting (2011 Southwest Blackout
– lack of awareness of transformer protection and Special Protection System trip points – contributing factor)
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 8
BIRD’S EYE VIEW
(MAP FROM
2003 BLACKOUT REPORT)
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 9
SUPER SIMPLIFIED
ELECTRICAL DIAGRAM. NIAGARA
AREA
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 10
PRE CONTINGENCY
• Beck (Ontario) generation - 1800 MW • Niagara (NY) generation - 2400 MW • Net power schedule into Ontario - 300 MW • Initial flow north to Beck - 470 MW • Net flow north of Beck on five 230 kV lines –
approx. 1800 MW (but not equally loaded)
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 11
SEQUENCE OF EVENTS (1)
• 5:16:11 p.m. first 230 kV line (Q29BD) north of Beck trips (no fault)
• +0.9 sec. to +2.7 sec. – four remaining 230 kV lines trip • Net result – 2270 MW flowing into Ontario reverses
into New York • Beck and Moses units drop power, accelerate, then
increase power -> huge oscillations result
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 12
R-O-W OUTAGES
(1965 AND 2003)
X
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 13
SIMILARITY TO 2003
BLACK-OUT
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 14
SEQUENCE OF EVENTS (2)
• +3.3 sec. PASNY - Saunders (Massena) 230 kV line trips • +3.5 sec. 115, 230 kV lines trip between NY and PJM • +3.6 sec. Both west – east 345 kV lines trip (and all
parallel 115 kV) - Con Ed -> PJM tie trips
• New York, New England and Ontario island 9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 15
SEQUENCE OF EVENTS (3)
• 5:17:15.1 - 5:18:01 10 Beck units trip (low oil pressure) and 5 Moses units trip (overspeed)
• Numerous islands form all with mismatch of generation and load
• No underfrequency load shedding • Would it have saved the system?
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 16
RESTORATION
• Unprecedented in scope and complexity • Few black start plans since most utilities had never faced
this situation
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 17
EFFECTS
• 30 million people affected • Some suspected “it was the Russians” • 600,000 stranded in NYC subways; Massive traffic jams • Huge economic impacts • NERC would be formed
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 18
FPC RECOMMENDATIONS (1)
1. Better relaying at Beck – review of overall design and operations (PRC-023, PRC-004) 2. Closer relationships between Canada/US (NERC) 3. Stronger transmission networks and interconnections 4. Establish planning and operating groups for intersystem coordination (RTO groups) 5. Perform stability studies (TPL-001-4) 6. Immediate check and frequent reviews of relay settings (PRC-023, PRC-025)
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 19
FPC RECOMMENDATIONS (2)
7. Review reserve margins (generation and transmission) (BAL-001, -002, MOD-004, -008) 8. When economics and reliability conflict security gets heavy weighting (EOP-002) 9. Generator response needs consideration (FAC-002, PRC-006, many MOD) 10. Industry-wide study of equipment during emergency conditions (EOP-005) 11. Load shedding should be considered (EOP-003) 9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 20
FPC RECOMMENDATIONS (3)
12. Review training on emergency procedures (EOP-005, EOP-008, PER-005)
13. Recording equipment and black-start equipment (EOP-005, PRC-018)
14. Essential Customers should arrange for aux power supply 15. NY City subways develop evacuation plans 16. Elevators need mechanical backup
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 21
FPC RECOMMENDATIONS (4)
17. Communications facilities should be developed with auxiliary power sources (COM-001-1, EOP-008) 18. Gas stations need a way to pump gas without power 19. Suggest federal legislation to regulate the grid
Thirteen Recommendations by the Advisory Panel
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 22
50 YEARS LATER
• “Those who cannot remember the past are condemned to repeat it.” George Santayana
• Could it happen again? • As Smoky says, “Only you… can prevent…”
• Questions ?
9/30/2015 SPP RE Fall Seminar - Dallas, Texas Page 23
FPC 1965 Blackout Recommendations
Chapter VI RECOMMENDATIONS
We make the recommendations set out below on the basis of our study to date. A panel of experts has also independently adopted a series of recommendations for interim and permanent actions to be taken by the affected utilities to avoid recurrence of major power failures, which support our own recommendations. A copy of the panel’s recommendations is attached as Appendix F.
The Commission’s recommendations are partial and tentative. We are proceeding to determine whether there are any additional changes in facilities or operational procedures in the affected area which
1. Measures have already been taken by Ontario Hydro to prevent the same relays from triggering another power failure. A number of the other affected utilities have also taken numerous precautions to avoid a recurrence of the series of events which resulted in the blackout. While we are unable to say that another blackout of similar magnitude is impossible, we regard the possibility of a recurrence as remote. The completion of the stability studies which have been initiated will offer a better basis for appraising the risks of a widespread blackout in the northeast and the measures required to avoid such a possibility. We recommend that all utilities, individually and collectively, reexamine the overall design and operation of their power systems.
2. The blackout, while it makes plain the need for full coordination between Ontario Hydra and the interconnected United States systems, also demonstrates the readiness of these systems to work together on electric energy problems. We recommend even closer working relationships between Canadian and U.S. operating organizations on the one hand and between Canadian and U.S. governmental authorities on the other. In this connection, the National Energy Board of Canada has been fully apprised of the various stages of the investigation and has continuously extended the utmost cooperation.
3. Isolated systems are not well adapted to modern needs either for purposes of economy or service. The power systems in the affected area are in a period of transition from isolated operation or light interconnections to strong linkages and close coordination. The system stability and freedom from outage hazard which is inherent in an integrated and coordinated power pool because of the ability of each participating system to draw on its neighbors for emergency support will be increased when the affected companies strengthen their internal transmission systems and the interties between systems. The stability of the system may also be strengthened by the proper location of generating capacity planned on a pool basis. These aspects must be considered together and constitute a parallel and closely coordinated development. There are numerous additional high voltage transmission facilities which the systems in the affected area have already agreed to build or which are under consideration both to strengthen the internal ties among generating plants and load centers within the
individual systems and to strengthen the links between adjoining systems. The computer studies to which we have referred should be of assistance in determining which of these projects should be built on an accelerated priority basis. We recommend an acceleration of the present trend toward stronger transmission networks within each system and stronger interconnections between systems in order to achieve more reliable service at the lowest possible cost.
4. The systems in ????? the minimum reliability of service. Achievement of this goal requires close coordination of system planning and operation, which would be easier to achieve if the companies established one or more unified planning and operating groups which made this task their primary responsibility. We recommend the delegation to such planning and operating groups of sufficient responsibility to assure the performance of those functions which require close intersystem coordination.
5. The stability studies carried out by the systems in the CANUSE area - that is, the studies of how the systems would function under emergency conditions - did not postulate an emergency of the proportions which occurred. Additional stability studies are urgently required based upon the more stringent assumptions as to credible incidents which have now been shown to be necessary, and such studies are under way.
6. The power failure demonstrated the importance of close and frequent checks of relay settings controlling major facilities. The companies concerned should make such a check immediately and establish procedures for frequent review in the light of changing circumstances.
7. In the light of the consequences of the blackout we recommend a review of the question of reserve margins both in transmission and generating capacity. We hope to make specific recommendations on this subject as the result of the studies we are carrying out. Ample reserve margins constitute an important measure of insurance against peace-time outage hazards and would have even greater value under some assumptions as to defense needs.
8. Where there is a conflict between economic and service reliability factors in power system design the need for security of service should be given heavy weighting.
9. Our preliminary investigation makes clear that the type and distribution of generating reserves available may be as important as the amount, insofar as emergency use is concerned. The utilities in the CANUSE area must make a more sophisticated evaluation of the time factor involved in the utilization of spinning reserves in order to determine the responsiveness of the components of the total spinning reserves to emergency demands. Hydroelectric generation (including pumped storage), and other generation with quick starting and load pickup characteristics, are better capable of absorbing sudden increases in load than steam power stations which have
slower rates of production increases. We recommend that the factor of quick responsiveness in the event of emergency should be given due consideration in the evaluation of alternative generating projects.
10. We recommend an industrywide as well as a utility-by-utility study of the adequacy of automatic equipment, communication facilities, recording facilities, and operating procedures in the dispatching and control centers and in power plants during emergency conditions.
11. It is possible that internal load shedding within the various systems involved could have prevented the complete collapse of the CANUSE network. Load shedding should be considered by the utilities along with other measures as part of their emergency operating procedures.
12. We are not in position to pass judgment on the need for improvement in emergency startup training for plant crews, although we pay tribute to their dedication and indefatigability. We recommend a thorough review of training procedures for emergencies.
13. The November 9 outage revealed the need by the utility systems for additional auxiliary power equipment to cope with systemwide outages. In some cases communication systems were dependent upon power supply from the power system itself. The same is true for automatic recording equipment and for the power required for startup of some of the steam plants. Other auxiliary facilities which were essential in restoring service were dependent upon system power supply. We recommend that the services required to limit the scope of a failure, to preserve a record of what occurred, and to enable startup of power plants in minimum time be provided with auxiliary power sources.
14. Civilian services which are deemed so essential that they cannot tolerate any interruption - that is, for which 99.9+ percent availability is not adequate - should arrange an auxiliary power supply. These include hospitals, airports, tunnels, draw-bridges, railroad and subway stations, some bus terminals, and basic communications services.
15. In most cases the cost of a full auxiliary power supply may be beyond its value, but in many situations it is feasible to provide a degree of protection to the public while system power supply is cut off. Thus, with respect to the Independent Subway in New York, where an alternative power supply for train operation may be impracticable, and Possibly for the other New York City subways, at a minimum a subway evacuation scheme should be developed which would make the risk of interruption tolerable. This would require auxiliary lifting facilities for stations and tunnels.
16. Elevators are a special problem. In some cases it may be feasible to install auxiliary power supply adequate to move at least one elevator at a time to evacuate passengers. As a minimum, elevators should be provided with mechanical cranks or levers m that they can be moved manually in the event of stalling between floors in a power outage.
17. Communication facilities powered from auxiliary sources should be developed so that in the event of a power failure the public may be informed promptly as to the circumstances and appropriate governmental authorities notified.
18. One of the consequences of the power failure was that motorists were unable to buy gasoline because gasoline pump were dependent upon the system power supply. We recommend to the petroleum industry that it devise a means to solve this problem in order to avoid risk of a transportation breakdown in the event of a power failure. 19. When the Federal Power Act was passed in 1935 no specific provision was made for jurisdiction over reliability of service for bulk power supply from interstate grids, the focus of the Act being rather on accounting and rate regulation. Presumably the reason was that service reliability was regarded as a problem for the states. Insofar as service by distribution systems is concerned this is still valid, but the enormous development of interstate power networks in the last thirty years requires a reevaluation of the governmental responsibility for continuity of the service supplied by them, since it is impossible for a single state effectively to regulate the service from an interstate pool or grid. The question of the need for additional legislation is under active consideration.
FPC Advisory Panel - Northeast Power Interruption
Recommendations for Actions To Be Taken by Affected Companies To Avoid Recurrence of Major Power Failures
I. Interim Measures
1. Immediately review standing instructions to operating personnel of each system supplying very large metropolitan areas relative to separation of the system from the interconnected network if system frequency drops to a predetermined value which indicates danger of loss of power supply due to trouble external to the system. Consider also the installation of automatic devices which may be available for tripping major transmission ties, non-critical load and generation, if necessary, to maintain adequate power supply to critical load -.
2. Immediately undertake coordinated studies to review the adequacy of system and intersystem design and operating practices under unusually severe system disturbances comparable to the incident recently experienced.
3. Review means for assuring communications at all times between major system control centers.
4. Assess the adequacy of practices regarding the assignment of spinning reserve capacity on each system and the coordination of spinning reserve capacity among systems.
5. Investigate the feasibility of interruption of substantial blocks of non-critical load to provide effective emergency capacity when necessary.
6. Review present practices of scheduling power between systems and power pools so as to assure essential protection to critical load areas.
7. Review present relay applications. 8. Review standing procedures for restoring
ties between systems so as to obtain
maximum assistance for various contingencies.
9. Reexamine methods and facilities to obtain power supply for the rapid start-up of power plants shut-down by an emergency.
10. Determine steps which may be taken to prevent damage to generating units as they undergo emergency shut-down and to improve the start-up time of such units.
11. Reexamine the size of network segments and the adequacy of equipment, procedures and automatic devices to assure rapid restoration of underground urban network loads.
II. Permanent Measures
1. Accelerate construction of those facilities (transmission, generation, control and communication) now planned which will contribute significantly to reliability of service.
2. Reexamine the need for additional transmission, interconnection and related facilities which would enhance reliability of service within and among the affected systems and between the affected systems and outside utilities.
Approved by the Advisory Panel :
C. P. ALMON, Jr. CHARLES CONCORDIA.
E. B. CRUTCHPIELD. JOSEPH K. DILLARD. MORGAN DUBROW.
W. S. KLEINBACH. L. F. LISCHER.
G. H. MCDANIEL. T. J. NAGEL.
G. O. WESSENAUER. NOVEMBER 16,1965
North American Power Systems Interconnection Committee OPERATING GUIDE NO. 9
Action in Emergency
Approved: Fourth NAPSIC Meeting, Niagara Falls, Ontario, July 21, 1964
In a large interconnected system consisting of
several pools and many systems, a temporary shortage of generating capacity in one system or even in an entire interconnected area is an ever-present op- crating possibility. Should such an emergency develop that is or may become of sufficient magnitude to affect operation throughout a significant portion of the interconnected system, a uniform understanding and approach is essential.
Since it is a basic principle that each control area shall plan to provide sufficient generating capacity to carry its expected load at 60 cps with provision for adequate ready reserve and regulating margin, if the internal resources are temporarily inadequate, arrangements should be made in advance with neighboring interconnected systems or pools to provide the necessary assistance. This assistance should be scheduled sufficiently in advance to permit the assisting systems or pools to provide the needed generating capability. In the event of a deficiency of generation in one system or pool which is offset by prearranged power supply from another system or pool, it is possible that certain interconnecting ties will be heavily loaded. Should an outage or unexpectedly heavy load occur, these interconnecting lines may become overloaded or may even fail to hold. This possibility must be recognized when making commitments for pm- arranged power supply. If due to an unforeseen emergency any transmission facility becomes seriously overloaded and cannot be relieved by adjusting generation, or by other means, appropriate relief measures shall be applied immediately by the deficient system to bring loading to within established emergency limits.
When a system disturbance occurs, a prime consideration is to maintain parallel operation throughout the interconnected system if at all possible. This will permit rendering maximum assistance to the system in trouble and may prevent cascading of trouble to other parts of the interconnection and assist in restoration of normal operation. Operating Guide No. 9 It is recommended that in such emergencies the
following action shall be taken.
A. Power Shortage in a System or Pool 1. If a tie with other parts of the interconnection is
seriously overloaded and cannot be relieved by adjusting generation in a system or pool, relief measures shall be applied immediately by the deficient system to bring the tie loading to within the established emergency limits.
2. The deficient system or pool shall be prepared to take action as in (1) above if requested to relieve serious overloads on a remote tie which is caused by the continuing deficiency.
3. In a large interconnected system, the possibility of critically low frequency in an emergency is remote. However, if a group of systems or pools becomes separated from the interconnected system, the possibility of critically low frequency does exist. If a power shortage in a system or pool is causing low frequency of a magnitude to impair or jeopardize the operation of other systems or pools, relief measures shall be applied by the deficient system to restore frequency to permit resynchronizing at any point of separation.
B. Power Shortage in an Adjacent or Remote System or Pool
1. Automatic tie-line bias frequency control should remain operative as long as practicable.
2. If automatic tie-line bias frequency control has become inoperative due to low frequency, manual control shall not be used to increase generation beyond the point necessary to restore automatic control unless mutual agreement is obtained with adjacent systems or pools.
3. If an overload persists on a tie toward a neighboring system or pool:
a. The affected system or pool shall notify the neighboring system or pool of the magnitude of the overload and request immediate relief.
b. If intolerable overload continues and equipment is endangered, the affected System or pool may open the overloaded ties.
FPC Advisory Panel - Northeast Power Interruption
Recommendations for Actions To Be Taken by Affected Companies To Avoid Recurrence of Major Power Failures
I. Interim Measures
1. Immediately review standing instructions to operating personnel of each system supplying very large metropolitan areas relative to separation of the system from the interconnected network if system frequency drops to a predetermined value which indicates danger of loss of power supply due to trouble external to the system. Consider also the installation of automatic devices which may be available for tripping major transmission ties, non-critical load and generation, if necessary, to maintain adequate power supply to critical load -.
2. Immediately undertake coordinated studies to review the adequacy of system and intersystem design and operating practices under unusually severe system disturbances comparable to the incident recently experienced.
3. Review means for assuring communications at all times between major system control centers.
4. Assess the adequacy of practices regarding the assignment of spinning reserve capacity on each system and the coordination of spinning reserve capacity among systems.
5. Investigate the feasibility of interruption of substantial blocks of non-critical load to provide effective emergency capacity when necessary.
6. Review present practices of scheduling power between systems and power pools so as to assure essential protection to critical load areas.
7. Review present relay applications. 8. Review standing procedures for restoring
ties between systems so as to obtain maximum assistance for various contingencies.
9. Reexamine methods and facilities to obtain
power supply for the rapid start-up of power plants shut-down by an emergency.
10. Determine steps which may be taken to prevent damage to generating units as they undergo emergency shut-down and to improve the start-up time of such units.
11. Reexamine the size of network segments and the adequacy of equipment, procedures and automatic devices to assure rapid restoration of underground urban network loads.
II. Permanent Measures
1. Accelerate construction of those facilities (transmission, generation, control and communication) now planned which will contribute significantly to reliability of service.
2. Reexamine the need for additional transmission, interconnection and related facilities which would enhance reliability of service within and among the affected systems and between the affected systems and outside utilities.
Approved by the Advisory Panel:
C. P. ALMON, Jr. CHARLES CONCORDIA.
E. B. CRUTCHPIELD. JOSEPH K. DILLARD. MORGAN DUBROW.
W. S. KLEINBACH. L. F. LISCHER.
G. H. MCDANIEL. T. J. NAGEL.
G. O. WESSENAUER. NOVEMBER 16, 196
North American Power Systems Interconnection Committee OPERATING GUIDE NO. 9
Action in Emergency
Approved: Fourth NAPSIC Meeting, Niagara Falls, Ontario, July 21, 1964
In a large interconnected system consisting of
several pools and many systems, a temporary shortage of generating capacity in one system or even in an entire interconnected area is an ever-present op- crating possibility. Should such an emergency develop that is or may become of sufficient magnitude to affect operation throughout a significant portion of the interconnected system, a uniform understanding and approach is essential.
Since it is a basic principle that each control area shall plan to provide sufficient generating capacity to carry its expected load at 60 cps with provision for adequate ready reserve and regulating margin, if the internal resources are temporarily inadequate, arrangements should be made in advance with neighboring interconnected systems or pools to provide the necessary assistance. This assistance should be scheduled sufficiently in advance to permit the assisting systems or pools to provide the needed generating capability. In the event of a deficiency of generation in one system or pool which is offset by prearranged power supply from another system or pool, it is possible that certain interconnecting ties will be heavily loaded. Should an outage or unexpectedly heavy load occur, these interconnecting lines may become overloaded or may even fail to hold. This possibility must be recognized when making commitments for pm- arranged power supply. If due to an unforeseen emergency any transmission facility becomes seriously overloaded and cannot be relieved by adjusting generation, or by other means, appropriate relief measures shall be applied immediately by the deficient system to bring loading to within established emergency limits.
When a system disturbance occurs, a prime consideration is to maintain parallel operation throughout the interconnected system if at all possible. This will permit rendering maximum assistance to the system in trouble and may prevent cascading of trouble to other parts of the interconnection and assist in restoration of normal operation. Operating Guide No. 9 It is recommended that in such emergencies the
following action shall be taken.
A. Power Shortage in a System or Pool 1. If a tie with other parts of the interconnection is
seriously overloaded and cannot be relieved by adjusting generation in a system or pool, relief measures shall be applied immediately by the deficient system to bring the tie loading to within the established emergency limits.
2. The deficient system or pool shall be prepared to take action as in (1) above if requested to relieve serious overloads on a remote tie which is caused by the continuing deficiency.
3. In a large interconnected system, the possibility of critically low frequency in an emergency is remote. However, if a group of systems or pools becomes separated from the interconnected system, the possibility of critically low frequency does exist. If a power shortage in a system or pool is causing low frequency of a magnitude to impair or jeopardize the operation of other systems or pools, relief measures shall be applied by the deficient system to restore frequency to permit resynchronizing at any point of separation.
B. Power Shortage in an Adjacent or Remote System or Pool
1. Automatic tie-line bias frequency control should remain operative as long as practicable.
2. If automatic tie-line bias frequency control has become inoperative due to low frequency, manual control shall not be used to increase generation beyond the point necessary to restore automatic control unless mutual agreement is obtained with adjacent systems or pools.
3. If an overload persists on a tie toward a neighboring system or pool:
a. The affected system or pool shall notify the neighboring system or pool of the magnitude of the overload and request immediate relief.
b. If intolerable overload continues and equipment is endangered, the affected System or pool may open the overloaded ties.
Southwest Power Pool Regional Entity – Fall Workshop
Disposition Method Procedural Prerequisite
Initial Registered
Entity Notice
Monetary Penalty
Mitigation Risk Determinate
Opt Out Provision
Violation History Posting Closure
Full Notice of Penalty (enforcement disposition)
Settlement or NAVAPS/NOCV
Notice of Possible Violation
Set by NERC Penalty Tool, Maximum $1,000,000 /Day
Mitigation Completion Required before filing. Certification of Completion Required.
Minimal, Moderate, Serious or Substantial
Hearing Option Becomes part of Registered Entity’s violation history. Can be an aggravating factor in future penalty determinations
Individual posting at NERC and NOP at FERC Non-Public CIP
FERC Order & Notice of Completion of Enforcement Action
Spreadsheet Notice of Penalty (enforcement disposition)
Settlement or NAVAPS/NOCV
Notice of Possible Violation
Set by NERC Penalty Tool, Less than $100,000 aggregate
Mitigation Completion Required before filing. Certification of Completion Required.
Minimal, Moderate, Serious or Substantial
Hearing Option Becomes part of Registered Entity’s violation history. Can be an aggravating factor in future penalty determinations
Aggregate spreadsheet posting at NERC and FERC Non-Public CIP
FERC Order & Notice of Completion of Enforcement Action
Find, Fix, Track and Report (enforcement disposition)
None Notice of Possible Violation
No Penalty Applies
Mitigation Plan required. Mitigation Plan must be completed within one year of posting at NERC. Officer attestation required.
Minimal and Moderate
Notice required within ten business days of Notice of FFT disposition
Becomes part of Registered Entity’s violation history. Can be an aggravating factor in future penalty determinations
Aggregate posting at NERC. Informational filing at FERC. Non-Public CIP
Deemed closed by FERC/NERC after sixty day review period has run - Notice of Completion of Enforcement Action
Compliance Exception (non-enforcement disposition)
None Self-Logging Presumption for Compliance Exception
Preliminary Notice of Compliance Exception
No Penalty Applies
Mitigation Plan required. Mitigation Plan must be completed within one year of posting at NERC.
Minimal Only Notice required within seven days of Notice of Compliance Exception disposition
Limited use for violation history May be used in evaluating Registered Entity’s compliance history should Registered Entity fail to remediate an issue of noncompliance processed as a Compliance Exception and such failure contributes to a subsequent serious or substantial compliance matter
Aggregate posting at NERC. Informational filing at FERC. Non-Public CIP
Deemed closed by FERC/NERC sixty day review period run - automatic closure in Notice of Compliance Exception May be reopened if Commission finds that Compliance Exception treatment was provided based on Registered Entity’s material misrepresentation of the facts underlying the Compliance Exception
New TOP Standards September 29, 2015 Fall Workshop SPP RE Staff: Greg Sorenson Jeff Rooker
Use of Presentation
• The standards are discussed as filed with FERC
• This presentation covers highlights from multiple NERC Reliability Standards
• For simplicity, some wording from the standard has been shortened, paraphrased, or omitted
• Due to space and time constraints, some topics, special cases, and notes have not been addressed
• It is important to read each standard in its entirety and review the standards after approval by FERC
2
Overview
Regulatory Status
Relevant Definitions
IRO Standards
TOP-003-3 Operational Reliability Data
TOP-002-4 Operations Planning
TOP-001-3 Transmission Operations
3
Regulatory Status
• 3/18/2015 – NERC files TOP and IRO standards
• 6/18/2015 – FERC issues Notice of Proposed Rulemaking
• 8/4/2015 – NERC files comments in response to FERC NOPR
• 4Q 2015?? – FERC approves
• January 1, 2017?? new standards go into effect • 12 months after regulatory approval
4
Acronyms
• Transmission Operator (TOP)
• Balancing Authority (BA)
• Generator Operator (GOP)
• Distribution Provider (DP)
• Load Serving Entity (LSE)
• Generator Owner (GO)
• Transmission Owner (TO)
5
Definitions – Glossary of Terms
• Operational Planning Analysis (new) – “An evaluation of projected system conditions to assess
anticipated (pre-Contingency) and potential (post-Contingency) conditions for next-day operations. The evaluation shall reflect applicable inputs including, but not limited to, load forecasts, generation output levels, Interchange, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Facility Ratings, and identified phase angle and equipment limitations (Operational Planning Analysis may be provided through internal systems or through third-party services.)
6
Definitions –Glossary of Terms
• Operational Planning Analysis (old) – “An analysis of the expected system conditions for the
next day’s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.)”
7
Definitions – Glossary of Terms
• Real-time Assessment (new term) – “An evaluation of system conditions using Real-time
data to assess existing (pre-Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase-angle and equipment limitations. (Real-time Assessment may be performed through internal systems or through third-party services.)”
8
IRO Standards – Reliability Coordination
• IRO-001-4 R2, R3 – TOP, BA, GOP, DP – Still need to follow RC directives or provide reasons why cannot
• IRO-002-4 – Only applies to RC
• IRO-008-2 – Only applies to RC
• IRO-010-2 – R3 – RC, BA, GO, GOP, TOP, TO, DP, LSE – You must provide data needed for RC’s Operational Planning Analysis, Real-time monitoring, Real-time Assessments as specified by the RC (SPP Criteria Appendix 7, MISO Business Practice 10)
9
IRO Standards Reliability Coordination
• IRO-014-3 – Applies to the RC only
• IRO-017-1 – Outage Coordination (New Standard) – R1- RC specifies roles and responsibilities,
communication of outage schedules, coordination of responsibilities between TOPs and BAs
– RC specifies outage submission timing requirements
– RC specifies process to evaluate the impact of outages
– RC defines process for resolving conflicts
• MISO and SPP both have defined processes – may be updated as a result of the standard
10
IRO Standards Reliability Coordination
• R2 – “Each TOP and BA shall perform the functions specified in its RC’s outage coordination process” – Caution on outage submission timing – now monitored
by the Regional Entity, not just peer pressure
• R3 – “Each PC and TP shall provide its Planning Assessment to impacted RCs.” – No “as requested”
11
IRO Standards Reliability Coordination
• R4 – “Each PC and TP shall jointly develop solutions with its respective RC for identified issues or conflicts with planned outages in its Planning Assessment for the Near-Term Transmission Planning horizon.” – Planning Assessment – documented evaluation of future Transmission System performance (see TPL-001-4) – Near Term (years 1-5)
– 6 month outages
12
TOP-003-3 – Operational Reliability Data • R1 – “Each TOP shall maintain a documented
specification for the data necessary for it to perform its Operational Planning Analyses, Real-time monitoring, and Real-time Assessments” – 1.1 needed data and info including non-BES data and
external network data
– 1.2 provisions for notification of current Protection System status or degradation
– 1.3/1.4 – periodicity and deadline
• R2- same for BA
13
TOP-003-3 Operational Reliability Data
• R3 [R4]. “Each TOP [BA] shall distribute its data specification to entities that have data required by the TOP’s [BA’s] Operational Planning Analyses, Real-time monitoring, and Real-time Assessment.”
• R5. “Each TOP, BA, GO, GOP, LSE, TO and DP receiving a data specification in R3, R4 shall satisfy the obligations of the documented specifications..”
14
System Operating Limits
• “The value (such as MW, Mvar, A, f, and V) that satisfies the most limiting of the prescribed operating criteria for a specified system configuration within acceptable reliability criteria. SOLs are based upon certain operating criteria. These include, but are not limited to:
– Facility Ratings (applicable pre-and post-Contingency equipment or facility ratings)”
– Transient Stability Ratings (pre- and post- Contingency)
– Voltage Stability Ratings (pre- and post- Contingency)
– System Voltage Limits(pre- and post- Contingency)
See also NERC SOL White Paper 15
System Operating Limits
16
TOP-002-4 Operations Planning
• R1. “Each TOP shall have an Operational Planning Analysis that will allow it to assess whether its planned operations for the next day within its TOP area will exceed any of its System Operating Limits (SOLs).”
• R2. “Each TOP shall have an Operating Plan(s) for next-day operations to address potential SOL exceedances identified as a result of its Operational Planning Analysis as required in R1.” • More than just identifying a possible overload
• Operators should understand how markets and TLRs control flow if this is the mitigation
17
TOP-002-4 Operations Planning
• R3. “Each TOP shall notify entities identified in the Operating Plan… of their role…”
• R4 and R5… similar planning for BAs
• R6[R7]. Each TOP [BA] shall provide its Operating Plan for next day operations … to its RC.
Audit hint:
• SPP RE will check to make sure you notified appropriate parties in the plans and the RC prior to the operating day
18
TOP-001-3 Transmission Operations
• R1 [R2]. Each TOP [BA] shall act to maintain the reliability of its TOP [BA] Area via its own actions or by issuing Operating Instructions.
• R3 [R5]. Each BA [TOP], GOP, and DP shall comply with each Operating Instruction issued by its TOP [BA], unless such action cannot be physically implemented or it would violate safety, equipment, regulatory, or statutory requirements.
• R4 [R6]. Inform of inability…
• R7. TOP Emergency assistance
19
TOP-001-3 Transmission Operations
• R8. Each TOP shall inform its RC, known impacted BAs, and known impacted TOPs, of its actual or expected operations that result in, or could result in, an Emergency.
• R9. Each BA and TOP shall notify its RC and known impacted interconnected entities of all planned outages, and unplanned outages of 30 minutes or more, for telemetering and control equipment, monitoring and assessment capabilities, and associated communication channels between affected entities.
20
TOP-001-3 Transmission Operations
• R10. Each TOP shall perform the following as necessary for determining SOL exceedances within its TOP area: – 10.1 within, monitor Facilities and SPS status
– 10.2 outside, obtain status, voltage, and flow and SPS status Only facilities that affect you are needed
You need to be able to justify what was not included
• R11. BA monitor its area/SPS to maintain gen/load
• R12. Don’t operate outside the IROL for long
21
TOP-001-3 Transmission Operations
• R13. Each TOP shall ensure a Real-Time Assessment is performed at least once every 30 minutes. – Computer logs
– Checklists
– Third party (such as RTO) OK
• R14. Each TOP shall initiate its Operating Plan to mitigate a SOL exceedance identified as part of its Real-time monitoring or Real Time Assessment.
• R15. Each TOP shall inform the RC of action taken to return system to within limits.
22
TOP-001-3 Transmission Operations
• R16[R17]. Each TOP [BA] shall provide its System Operators with the authority to approve planned outages and maintenance of its telemetering and control equipment, monitoring and assessment capabilities, and associated communication channels between affected entities. – EMS, SCADA maintenance, RTU maintenance, server
failover, ICCP links, etc.
– For RTO markets, does the BA operator approve plant telemetering maintenance that affects AGC?
23
TOP-001-3 Transmission Operations
• R18. Each TOP shall operate to most limiting in instances where there is a difference in SOLs.
• R19 [R20]. Each TOP [BA] shall have data exchange capabilities with the entities that it has identified that it needs data from in order to maintain reliability within the TOP [BA] area.
24
TOP-001-3 Transmission Operations Evidence
• Voice recordings, emails
• Computer logs, alarming
• System specifications
• System alarming
• RTCA failure alarms
• Operators’ logs to document actions taken
25
• Please feel free to ask…
Greg Sorenson Senior Compliance Engineer 501-688-1713 [email protected]
Jeff Rooker Lead Compliance Engineer 501-614-3278 [email protected]
Questions
26
Compliance
Monitoring and
Enforcement
Program (CMEP)
101
September 29, 2015
Mike Hughes
Lead Compliance Engineer
2
TOPICS
• HOW WE GOT HERE
• REGULATORY RELATIONSHIPS
• KEY GUIDANCE DOCUMENTS
• NERC STANDARDS
• NERC STANDARDS REVISION PROCESS
• OVERVIEW OF SPP RE
• OVERVIEW OF ENFORCEMENT
• OUTREACH
3
HOW WE GOT HERE
4
5
Road to Mandatory Compliance
1930s-2007: Compliance is voluntary
1965 Blackout
1968 NERC formed with SPP
as founding member
2003 Blackout
2005 Energy Policy Act creates Electric Reliability Organization (ERO)
to develop/enforce compliance
2006 NERC becomes ERO
2007 NERC delegates authority to 8 Regional Entities (RE)
SPP members choose to become a Regional Entity
Standards become mandatory
Reliability History: Key Dates
1968: National Electric Reliability Council (NERC) established by
the electric industry in response to 1965 Northeast blackout
2002: NERC operating policy and planning standards became
mandatory and enforceable in Ontario, Canada
2003: Blackout report recommends mandatory reliability standards
2005: U.S. Energy Policy Act of 2005 creates the Electric Reliability
Organization (ERO)
2006: Federal Energy Regulatory Commission (FERC) certified NERC as the
ERO; Memorandum of Understanding (MOUs) with some Canadian
Provinces
2007: North American Electric Reliability Council became the North
American Electric Reliability Corporation (NERC); FERC issued Order 693
approving 83 of 107 proposed reliability standards; became mandatory
and enforceable
REGULATORY RELATIONSHIPS
7
Regulatory Relationships
FERC
NERC
Regional
Entities
Registered
Entities8
• Delegates enforcement authority to Regional Entities via FERC-
approved agreements
• Approves violation dispositions from Regional Entities
• Develops standards with industry input
• Monitors Registered Entities, with authority to find violations
and levy financial penalties/sanctions for non-compliance
• May participate in standards development process
• Oversees NERC via 2005 Energy Policy Act
• Approves NERC standards and NERC-approved violation dispositions
• Responsible for compliance with NERC standards
• May participate in standards development process
• Delegation agreement
defines relationship
• Based on NERC Rules of
Procedure
• NERC approves regional
budgets
• NERC audits regional
compliance programs
Role of Regional Entities in the ERO
10
KEY DOCUMENTS
11
Foundational Guiding Documents
• Energy Policy Act of 2005 – Section 215
• Rules of Procedure (ROP) – Section 400
– Provides for NERC oversight of Regional Entities (REs)
– Compliance program attributes (audit cycles,
independence, confidentiality)
– ROP Appendix 4C, Compliance Monitoring and
Enforcement Program
12
Hierarchy of Governing Documents
Federal
regulations
FERC Orders
and Directives
NERC Rules of
Procedure
NERC directives
(such as bulletins)
Professional standards (such as Generally Accepted Government
Auditing Standards)
Tools, practices and procedures (including
RSAWs, NERC templates, and recommended best
practices)
13
Rules of Procedure
Rules of Procedure address:• Standards development process
• Compliance Monitoring and
Enforcement Program (CMEP)
• Business plans and budgets
• Regional entity oversight
• Training and education
NERC Rules-of-Procedure14
CMEP Implementation Plan
• Implementation Plan (IP) is annual operating plan for NERC and
REs in performance of their responsibilities and duties in CMEP
implementation
• Annual NERC IP specifies NERC Reliability Standards and
Requirements to be actively monitored and audited by REs during
implementation year
• Regional IPs:
• Identify additional standards/requirements that REs initially plan
to actively monitor
• Describe how they will monitor
• Provide the RE’s annual audit plan
• Identifies key CMEP-related activities
• describes other CMEP-related processes used for implementation
15
Importance
• NERC RISK ELEMENTS GUIDE for the 2015 CMEP IP
• 2015 ERO CMEP IP on NERC Resource Page
• efault.aspx
16
NERC STANDARDS
17
NERC STANDARDS
18
http://www.nerc.com/pa/Stand/Pages/default.aspx
NERC STANDARDS PROCESS
19
Standards
Committee
StakeholdersDrafting
Teams
Ballot
Pools
Board of Trustees
TOWRTO
LSE
TDU
Gov’t
Gen
Mkt
RE
LEU
SEURegulators
Standards
Staff
Ballot
Body
NERC Standards Process
20
Draft
Standard
Collect Informal
Feedback
Post for
Comment
Post for
Ballot
Post for
Recirculation
Ballot
Board
AdoptsImplement
Appoint
DT
Authorize
Posting SAR
Regulatory
Approve
Regulatory
Agencies
Approve
Submit
QR
Submit
Standard for
QR
Revise
Consider/
Respond/Revise
Revise
Submit
QR
Submit
Standard for
QR
Revise
Post for
Ballot
Post for
Comment/
Ballot
Consider/
Respond/Revise
21
OVERVIEW OF SPP RE
22
SPP RE is an independent and separate
division of SPP, Inc. that assesses regional
reliability and monitors and enforces our
region’s compliance with reliability
standards.
23
SPP RE is independent, but part of SPP, Inc.
SPP,
Inc.
SPP
RE
24
Confidential
compliance
information
Reports to Board
of Directors
� Reports to RE
Trustees
� Separate
budget/funding
mechanism
Intranet
Staff
meetings
Policies &
Procedures
Org groups
What We Do: Register/certify BES users, owners,
operators
~115 entities registered with SPP RE
25
What We Do: Assess compliance
• All Bulk Electric System users, owners, operators must
register with an RE for oversight
• ~ 107 standards with ~ 1,100 requirements
• We monitor compliance through 7 methods
26
Self-
ReportsAudits
Self-
Certifications
Spot
Checks
Data
Submittals
Complaints Investigations
What We Do: Publish annual reliability assessments
27
45000
50000
55000
60000
65000
2013 2014 2015 2016 2017 2018 2019 2020 2021 2022
MW
Va
lue
Total Internal Demand
What We Do: Analyze system events & develop
lessons learned
28
29
Most Violated StandardsBased on rolling 12 months through 8/31/15 [Represents ~ 93% of total violations]
* NERC as of June 30, 2014
** Not in NERC Rolling 12 month Top Ten
SPP
RE
Rank
NERC
12 Month
Rank *
Standard DescriptionNumber of
ViolationsRisk Factor
1 7 CIP-002 Critical Cyber Asset Identification 23 High/Lower
2 1 CIP-007 Systems Security Management 20 Med./Lower
3 3 CIP-005 Electronic Security Perimeters 13 Med./Lower
4 2 CIP-006 Physical Security - Critical Cyber Assets 12 Med./Lower
5 4 CIP-004 Personnel & Training 5 Med./Lower
6 8 VAR-002 Network Voltage Schedules 5 Med./Lower
7 6 CIP-003 Security Management Controls 4 Med./Lower
8 5 PRC-005 Protection System Maintenance 4 High/Lower
9 9 CIP-009 Recovery Plan for Critical Cyber Assets 3 Med./Lower
10 10 FAC-008 Facility Ratings (includes FAC-009) 2 Med./Lower
2014 SPP RE Year in Review
30578
121
188
8
271
3
25
12
101
62
30
56
54
0 100 200 300 400 500 600
Workshop & webinar attendees
Violations received
Violations processed
Videos produced
TFE actions
Reliability Assessments published
Registration changes
Newsletters published
Mitigation Plans reviewed
FFTs processed
Events processed
Audits performed
Audit reports issued
Numbers at a Glance
• Achieved 122% of 2014 staff goals and metrics
ENFORCEMENT
31
Enforcement Overview
• Violation Initiation from one of 7 discovery methods
– Mitigation can begin at any time and runs in parallel
with violation processing
• SPP RE issues Notice of Preliminary Screen
• SPP RE begins violation processing
• SPP RE issues Notice of Possible Violation (NPV)
• SPP RE then completes violation processing through
one of four methods.
32
Enforcement Overview
• Processing methods are:
– Find, Fix, Track (FFT)
– Compliance Exception
– Dismissal
– Settlement
– Notice of Confirmed Violation (NOCV)
• FERC will issue orders of “no further review” for
settlements and NOCV
33
Find, Fix and Track
FFT enforcement track
characteristics
• Minimal and moderate risk
noncompliance only
• Penalty not imposed
• Part of compliance history
• Registered entity can opt out
• PV becomes issue of non-compliance
34
Compliance Exception
• Minimal risk noncompliance only
• Penalty not imposed
• Becomes part of entity’s compliance history only to
the extent that it serves to inform the ERO Enterprise
of potential risk
• Not part of entity’s violation history for purposes of
aggravation of penalties
• Will be submitted to NERC/FERC; disposition of public
posting is determined per NERC policy
35
Self-Logging of Minimal Risk Issues
• The NERC Guidance document for self-logging, ERO
Enterprise Self-Logging Program, was issued May 20,
2015
• Allows Registered Entities that have demonstrated
effective management practices to keep track of
minimal risk noncompliance (and mitigation) on a log
that is periodically submitted to SPP RE
• To request participation in self-logging, please email
36
OUTREACH
37
SPP RE Outreach Program
38
SPP.org webpages
Monthly newsletterLessons Learned
Online videos
3 annual workshops
• Please feel free to ask…
Mike Hughes
Lead Compliance Engineer
501-688-1712
Questions
39
CIP V5 Evidence and Expectations
September 29, 2015
Sushil Subedi and Steven Keller SPP RE Staff
Evidence Request Workbooks*
• Excel file will be provided as a guideline to provide evidence for every requirement
• Evidence request for each requirement will have a separate tab
• Within each tab, requirement parts are broken down
2
Example of evidence request
3
Quality Evidence
4
• Evidence that is appropriate, sufficient and adequate – Appropriate: relevant, valid, and reliable in providing
support for findings and conclusions
– Sufficient: enough to lead a prudent person to the same conclusions that you have reached
– Adequate: evidence that is of high enough quality to be used for analysis and proof
Appropriate Quality Evidence
5
• Relevant- logically related to the issue
• Valid- extent to which evidence is based on sound reasoning or accurate information
• Reliable- consistency of results when information is measured or tested
Sufficient Quality Evidence
6
• Having a large volume of evidence does not compensate for the lack of relevance, validity, or reliability
• In some cases, one quality piece of evidence may be sufficient for the requirement
• Sufficiency of evidence relies on the relevance of the requirement
Adequate Quality Evidence
7
• Evidence is of high enough quality to be used for analysis and proof
• An example of adequate evidence would be:
– Document title, definition
– Revision level, date
– Effective date
– Authorizing signatures
CIP-002-5.1, Requirement R1
8
CIP-002-5.1, R1 Evidence • Approved list of High and Medium Impact BES Cyber Systems
• Approved list of assets containing Low Impact BES Cyber Systems
• Evidence that the BES Cyber System(s) list is reviewed at least once every 15 calendar months
• Evidence that the BES Cyber System(s) list is updated as necessary
9
CIP-002-5.1 Requirement R2
10
CIP-002-5.1, R2 Evidence • Evidence of reviewing the identifications in Requirement R1
and its parts at least once every 15 calendar months
• Evidence that the Senior Manager or delegate has approved the identifications required by Requirement R1 at least once every 15 calendar months.
– Supporting evidence- Approval of CIP Senior Manager and, if applicable, the delegation.
• Evidence of electronic or physical dated records to demonstrate that the Responsible Entity has reviewed and updated identifications required in Requirement R1
11
CIP-005-5, R1
12
• Part 1.1-All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP. – Evidence: List of all ESPs with all uniquely identifiable
applicable Cyber Assets connected via a routable protocol within each ESP
• Part 1.2- All External Routable Connectivity must be through an identified Electronic Access Point (EAP). – Evidence: Network diagrams showing all external
routable communication paths and the identified EAPs
CIP-005-5, R1
13
• Part 1.3- Require inbound and outbound access permissions, including the reason for granting access, and deny all other access by default. – Evidence: List of rules (firewall, access control lists, etc.)
that demonstrate that only permitted access is allowed and that each access rule has a documented reason
• Part 1.4- Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets. – Evidence: Documented process that describes how the
Responsible Entity is providing authenticated access through each dial-up connection
CIP-005-5, R1
14
• Part 1.5- Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. – Evidence: Documentation that malicious communications
detection methods (e.g. intrusion detection system, application layer firewall, etc.) are implemented
CIP-005-5, R2
15
• Part 2.1- Utilize an Intermediate System such that the Cyber Asset initiating Interactive Remote Access does not directly access an applicable Cyber Asset. – Evidence: Network diagrams or architecture documents
• Part 2.2- For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System. – Evidence: Architecture documents detailing where
encryption initiates and terminates
CIP-005-5, R2
16
• Part 2.3- Require multi-factor authentication for all Interactive Remote Access sessions. – Evidence: architecture documents detailing the
authentication factors used. (e.g. Something the individual knows, something the individual has, something the individual is)
CIP-006-5 R1
17
• Part 1.1- Define operational or procedural controls to restrict physical access. – Evidence: documentation that operational or procedural
controls exist.
• Part 1.2- Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Security Perimeter to only those individuals who have authorized unescorted physical access.
– Evidence: language in the physical security plan that describes each Physical Security Perimeter and how unescorted physical access is controlled by one or more different methods and proof that unescorted physical access is restricted to only authorized individuals, such as a list of authorized individuals accompanied by access logs.
CIP-006-5, R1
18
• Part 1.3- Where technically feasible, utilize two or more different physical access controls (this does not require two completely independent physical access control systems) to collectively allow unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unescorted physical access.
– Evidence: language in the physical security plan that describes the Physical Security Perimeters and how unescorted physical access is controlled by two or more different methods and proof that unescorted physical access is restricted to only authorized individuals, such as a list of authorized individuals accompanied by access logs.
CIP-006-5, R1
19
• Part 1.4- Monitor for unauthorized access through a physical access point into a Physical Security Perimeter.
– Evidence: An example of evidence may include, but is not limited to, documentation of controls that monitor for unauthorized access through a physical access point into a Physical Security Perimeter.
CIP-006-5, R1
20
• Part 1.5- Issue an alarm or alert in response to detected unauthorized access through a physical access point into a Physical Security Perimeter to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection.
– Evidence: language in the physical security plan that describes the issuance of an alarm or alert in response to unauthorized access through a physical access control into a Physical Security Perimeter and additional evidence that the alarm or alert was issued and communicated as identified in the BES Cyber Security Incident Response Plan, such as manual or electronic alarm or alert logs, cell phone or pager logs, or other evidence that documents that the alarm or alert was generated and communicated.
CIP-006-5, R1
21
• Part 1.6- Monitor each Physical Access Control System for unauthorized physical access to a Physical Access Control System.
– Evidence: documentation of controls that monitor for unauthorized physical access to a PACS.
CIP-006-5, R1
22
• Part 1.7- Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control System to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of the detection.
– Evidence: language in the physical security plan that describes the issuance of an alarm or alert in response to unauthorized physical access to Physical Access Control Systems and additional evidence that the alarm or alerts was issued and communicated as identified in the BES Cyber Security Incident Response Plan, such as alarm or alert logs, cell phone or pager logs, or other evidence that the alarm or alert was generated and communicated.
CIP-006-5, R1
23
• Part 1.8- Log (through automated means or by personnel who control entry) entry of each individual with authorized unescorted physical access into each Physical Security Perimeter, with information to identify the individual and date and time of entry.
– Evidence: language in the physical security plan that describes logging and recording of physical entry into each Physical Security Perimeter and additional evidence to demonstrate that this logging has been implemented, such as logs of physical access into Physical Security Perimeters that show the individual and the date and time of entry into Physical Security Perimeter.
CIP-006-5, R1
24
• Part 1.9- Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Security Perimeter for at least ninety calendar days.
– Evidence: dated documentation such as logs of physical access into Physical Security Perimeters that show the date and time of entry into Physical Security Perimeter.
CIP-006-5, R2
25
• Part 2.1- Require continuous escorted access of visitors (individuals who are provided access but are not authorized for unescorted physical access) within each Physical Security Perimeter, except during CIP Exceptional Circumstances. – Evidence: language in a visitor control program that
requires continuous escorted access of visitors within Physical Security Perimeters and additional evidence to demonstrate that the process was implemented, such as visitor logs.
CIP-006-5, R2
26
• Part 2.2- Require manual or automated logging of visitor entry into and exit from the Physical Security Perimeter that includes date and time of the initial entry and last exit, the visitor’s name, and the name of an individual point of contact responsible for the visitor, except during CIP Exceptional Circumstances. – Evidence: language in a visitor control program that
requires continuous escorted access of visitors within Physical Security Perimeters and additional evidence to demonstrate that the process was implemented, such as dated visitor logs that include the required information.
CIP-006-5, R2
27
• Part 2.1- Retain visitor logs for at least ninety calendar days. – Evidence: documentation showing logs have been
retained for at least ninety calendar days.
CIP-007-5, R1
28
• Part 1.1- Where technically feasible, enable only logical network accessible ports that have been determined to be needed by the Responsible Entity, including port ranges or services where needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device then those ports that are open are deemed needed.
– Evidence: Documentation of the need for all enabled ports on all applicable Cyber Assets and Electronic Access Points, individually or by group.
– Listings of the listening ports on the Cyber Assets, individually or by group, from either the device configuration files, command output (such as netstat), or network scans of open ports; or
– Configuration files of host-based firewalls or other device level mechanisms that only allow needed ports and deny all others.
CIP-007-5, R1
29
• Part 1.1- Protect against the use of unnecessary physical input/output ports used for network connectivity, console commands, or removable media.
– Evidence: documentation showing types of protection of physical input/output ports, either logically through system configuration or physically using a port lock or signage.
CIP-007-5, R2
30
• Part 2.1- A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists. – Evidence: documentation of a patch management
process and documentation or lists of sources that are monitored, whether on an individual BES Cyber System or Cyber Asset basis.
CIP-007-5, R2
31
• Part 2.1- At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. – Evidence: an evaluation conducted by, referenced by, or
on behalf of a Responsible Entity of security-related patches released by the documented sources at least once every 35 calendar days.
CIP-007-5, R2
32
• Part 2.3- For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the following actions:
• Apply the applicable patches; or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
• Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a timeframe to complete these mitigations.
CIP-007-5, R2
33
– Part 2.3 Evidence: Records of the installation of the patch (e.g., exports from automated patch management tools that provide installation date, verification of BES Cyber System Component software revision, or registry exports that show software has been installed); or
– A dated plan showing when and how the vulnerability will be addressed, to include documentation of the actions to be taken by the Responsible Entity to mitigate the vulnerabilities addressed by the security patch and a timeframe for the completion of these mitigations.
CIP-007-5, R2
34
• Part 2.4- For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by the CIP Senior Manager or delegate. – Evidence: records of implementation of mitigations.
CIP-007-5, R5
35
• Part 5.1- Have a method(s) to enforce authentication of interactive user access, where technically feasible. – Evidence: documentation describing how access is
authenticated.
• Part 5.2- Identify and inventory all known enabled default or other generic account types, either by system, by groups of systems, by location, or by system type(s). – Evidence: listing of accounts by account types showing
the enabled or generic account types in use for the BES Cyber System
CIP-007-5, R5
36
• Part 5.3- Identify individuals who have authorized access to shared accounts. – Evidence: listing of shared accounts and the individuals
who have authorized access to each shared account.
• Part 5.4- Change known default passwords, per Cyber Asset capability – Evidence: Records of a procedure that passwords are
changed when new devices are in production; or
– Documentation in system manuals or other vendor documents showing default vendor passwords were generated pseudo-randomly and are thereby unique to the device.
CIP-007-5, R5
37
• Part 5.5- For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: – 5.5.1. Password length that is, at least, the lesser of eight
characters or the maximum length supported by the Cyber Asset; and
– 5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
CIP-007-5, R5
38
– Part 5.5 Evidence: System-generated reports or screen-shots of the system-enforced password parameters, including length and complexity
CIP-007-5, R5
39
• Part 5.6- Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. – Evidence: System-generated reports or screen-shots of
the system-enforced periodicity of changing passwords;
CIP-007-5, R5
40
• Part 5.7- Where technically feasible, either: Limit the number of unsuccessful authentication attempts; or
Generate alerts after a threshold of unsuccessful authentication attempts.
– Evidence: Documentation of the account lockout parameters; or
– Rules in the alerting configuration showing how the system notified individuals after a determined number of unsuccessful login attempts.
Further Reference • You may also want to watch CIP V5 Preparing for Audit
video
• Other V5 videos are posted to our video training library
41
Questions/Comments
42
Steven Keller [email protected] (501) 688-1633
Sushil Subedi [email protected] (501) 482-2334
Breakout Session SPP RE Inherent Risk Assessment and Internal Controls Evaluation September 29, 2015 James Williams Lead Compliance Specialist Steven Keller Lead Compliance Specialist
Objectives
• Describe the SPP RE IRA process
• Describe the SPP RE ICE process
• Describe the tools used for IRA and ICE
• Explain the use of the IRA and ICE results
2
Inherent Risk Assessment (IRA) Process
• Why is SPP RE doing an Inherent Risk Assessment? – To develop the Registered Entity’s compliance oversight
plan Identify the level of risk to the BPS
Monitoring scope
Monitoring method
Monitoring frequency
– To understand the Registered Entity so we can assess the risks
3
Process Steps
4
Information Gathering
• SPP RE’s IRA Questionnaire
• SPP RE’s Asset Spreadsheet
• Internal information
– Previous audit reports
– Self-certifications
– Reliability Coordinator Questionnaire
– Compliance history
5
Inherent Risk Assessment
6
• Compliance Oversight Plan – Monitoring method, frequency and scope
• Registration – Registered functions, identify the entity’s RC, BA, TOP…
• JRO/CFRs – What function, requirements and responsible entity
• Compliance History – Previous violations, discovery method, mitigated
• Technical Assessment – Risk factors, transmission and generation
• CIP Data – SCADA, workstations
• Technical Feasibility Exceptions – Requirements, current status, devices
• Internal Control Evaluation Performed - Std/Req, date, control implementation
• Monitoring Scope – Attachment 1
• Reference Documents – Risk Assessment Questionnaire, previous audit
reports, self-certifications
• Event Review – summary of event
• Enforcement Mitigation Assessment – Mitigation milestones
• Registered Entity Assessment Revision History
Inherent Risk Assessment
7
Compliance Oversight Plan The entity assessment of Acme Power Company was performed to identify the monitoring and scope of the compliance engagement for 2016. The assessment of the attributes identified the levels of risk for the entity to the BES and the Regional Entity’s footprint. SPP RE determined that an on-site audit of Acme Power Company will be conducted on May 9 – 12, 2016 in accordance with NERC Rules of Procedure, 403.11. The engagement scope is based on the Risk Elements from the NERC 2015 Implementation Plan and the 2015 SPP RE Audit Scope Document applicable to the entity’s registered functions. SPP RE evaluated 35 risk attributes from the ERO Enterprise Inherent Risk Assessment Guide. The results were nine (9) high risk, eleven (11) moderate risk, twelve (12) low risks, and three (3) not applicable. The monitoring scope includes 30 standards with 70 requirements, see Attachment 1.
Monitoring Method Date Frequency of IRA Next Monitoring O&P/CIP Audit May 9, 2016 Audit 3 year cycle May 2019
Registration
8
9
10
11
Inherent Risk Assessment – Technical Assessment
12
Inherent Risk Assessment
13
CIP Data
14
15
16
17
18
Results
• IRA will be presented by the IRA Team Lead to the SPP RE IRA Review Team for evaluation of the results
• Upon completion of the review, the IRA Team Lead will present to SPP RE management for approval
• The results will determine the Compliance Oversight Plan: • Risk areas
• Monitoring method
• Scope of the engagement
• Frequency of the monitoring
19
Summary of the Assessment
• Registered Entity will be presented with an IRA Results Summary Report to allow for clarity and transparency in the assessment process
• SPP RE will ask the Registered Entity if they would like an Internal Control Evaluation (ICE) performed for any of the requirements in their monitoring scope
• At this point, the ICE process will begin
20
Internal Control Evaluation Process
• How does a Registered Entity request an ICE?
• With the IRA Assessment Letter you will receive an Internal Control Evaluation Workbook
• What is in the Workbook?
– List of the Standards/Requirements that are in scope
– The Registered Entity will identify the Standard/Requirement for which they want an ICE performed
– SPP RE will review the list of controls the Registered Entity has selected and prioritize by risk and available SPP RE resources
21
Self Logging
• What is Self Logging – A method of self reporting low impacting non-
compliance issues
– Reporting done quarterly
– Requesting self logging privileges – Notify Enforcement – Review of your Compliance program
• Entity Assessment for Self-Logging
– Review the Registered Entities internal compliance program
22
Evaluation of Design • If the Registered Entity requests an evaluation, SPP RE
will request documentation of the internal controls’ design
• Entity vs. Activity level controls – Entity-Level Controls: controls which are pervasive
across an organization and include culture, values and ethics, governance, transparency and accountability
– Activity-Level Controls: controls specific to a process or a function; may be manual or automated
• SPP RE will review the design of the internal controls and determine their sufficiency
• SPP RE will develop a Test Plan of the internal controls
23
Design Examples
• Preventative Controls – Documented process
– Training
– Change management
– Log review roles and responsibilities
• Detective Controls
– Periodic verification
– Periodically test monitoring
24
Evaluation of Effectiveness
• Testing is based on the facts and circumstances of the internal control program
• Testing may include documentation such as logs, videos, software files, process checklists, etc.
• The criteria in the ERO Enterprise Internal Control Evaluation Guide will be used to determine the effectiveness of the implementation of the internal controls
25
Level of Implementation
• Fully Implemented – Sufficient evidence and/or affirmations are present and judged to be adequate to demonstrate process and implementation. No weakness noted.
• Largely Implemented - Sufficient evidence and/or affirmations are present and judged to be adequate to demonstrate process and implementation. One or more weaknesses noted.
• Partially Implemented – Data indicates the process and internal controls are implemented and some data indicate the practice is not implemented.
26
Level of Implementation
• Not Implemented – Some or all data are absent or judged to be inadequate; data supplied does not support the conclusion that the process is implemented. One or more significant weaknesses.
• Missing – The design of the control is not ready to be implemented.
27
Results
28
• After the level of implementation of controls has been determined, SPP RE will consider whether testing may be reduced during the monitoring fieldwork – No fieldwork
– Reduced sampling
145 130 115 100
Start of the monitoring activity.
Registered Entity will provide
documentation and SPP RE will evaluate the effectiveness of
the Internal Controls.
The Registered Entity will provide
documentation and SPP RE will evaluate
the design of the Internal Control.
Upon receiving the IRA Letter, the
Registered Entity will have 10 days to
request an ICE.
IRA completed and approved at approx
165 days prior to monitoring activity
and the IRA Letter is sent to the
registered entity.
90 Days 40 Days 25 Days 10 Days
165 Days 90 Days 155 Days 130 Days 0 Days
SPP RE will send the Registered Entity the
monitoring activity notification at 90 days as
stated in the RoP.
Inherent Risk Assessment and Internal Control Evaluation Timeline
15 Days
180 Days
IRA started at approx 180 days
prior to monitoring
activity.
30
James Williams Steven Keller Lead Compliance Specialist Lead Compliance Specialist 501.614.3261 501-688-1633 [email protected] [email protected]
FAC-008 and PRC-005 Guidance September 29, 2015 Fall Workshop SPP RE Staff: Jeff Rooker Jim Williams
Outline
• FAC-008-3 R1, R2, and R6 guidance
• FAC-008-3 General Guidance
• PRC-005 General Guidance
• PRC-005 Transition/Implementation Plan
• PRC-005 R5 Guidance
2
FAC-008-3 R1 Guidance
R1. “Each Generator Owner shall have documentation for determining the Facility Ratings of its solely and jointly owned generator Facility(ies) up to the low side terminals of the main step up transformer if the Generator Owner does not own the main step up transformer and the high side terminals of the main step up transformer if the Generator Owner owns the main step up transformer.”
3
FAC-008-3 R1 Guidance
1.1. “The documentation shall contain assumptions used to rate the generator and at least one of the following:
• Design or construction information such as design criteria, ratings provided by equipment manufacturers, equipment drawings and/or specifications, engineering analyses, method(s) consistent with industry standards (e.g. ANSI and IEEE), or an established engineering practice that has been verified by testing or engineering analysis.
• Operational information such as commissioning test results, performance testing or historical performance records, any of which may be supplemented by engineering analyses.”
4
FAC-008-3 R1 Guidance
1.2. “The documentation shall be consistent with the principle that the Facility Ratings do not exceed the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility.”
• The auditor must verify the basis for the Facility Rating includes all applicable Equipment Ratings up to point of interconnection with TO- however without the Equipment Rating detail required per R2 and R3.
• Typically need one-line with ratings.
5
FAC-008-3 R1 Guidance
RSAW Question: Does Registered Entity solely and/or jointly own the main step up transformer?
• Answer to this Question is used in conjunction with R2 to define point of interconnection with TO. Where R1 ends, R2 begins.
6
FAC-008-3 R1 Guidance
• Standard Drafting Team comments for Project 2009-06 R1 and R2 apply to Generator Owners and should be
considered together.
R1 relates to the generator electrical rating and any other electrical components up to the GSU to verify Facility Rating.
R1 does not ask for any ratings of specific equipment within the plant (turbine, feed pump, etc.) but only the rating at the specific points in the requirement.
7
FAC-008-3 R1 Guidance
• Evidence could be that your Facility Rating is based on the annual full load capability test per SPP criteria 12. The actual Facility Rating would be the result of that test.
• Normal and Emergency ratings are not included in R1, which provides for the Facility Rating of the generation equipment.
8
FAC-008-3 R2 Guidance
• R2 only applies if a GO owns facilities beyond the location specified in R1 (which is typically the GSU). If the GO does not own facilities past the location specified in R1, then R2 does NOT apply. R3 begins the Facility Rating process for TO’s.
9
FAC-008-3 R6 Guidance
R6 “Each Transmission Owner and Generator Owner shall have Facility Ratings for its solely and jointly owned Facilities that are consistent with the associated Facility Ratings methodology (FRM) or documentation for determining its Facility Rating.” • The audit team will evaluate the associated generator
facility rating spreadsheet to verify it is consistent with the FRM. (i.e. normal/emergency ratings, ambient conditions if included).
10
FAC-008-3 General Guidance
• Use consistent units in determining facility ratings (MVA). SPP Criteria 12.2 Transmission circuits- ckt ratings will be specified in MVA and are taken as minimum of all of the elements in series.
• A transmission circuit shall consist of all load carrying elements between circuit breakers or the comparable switching devices.
• Ensure you have underlying evidence of ratings development (one lines with ratings shown, nameplate data, IEEE or industry standards utilized).
• Ensure you include ambient conditions and operating limitations per R2.2 and R3.2.
11
FAC-008-3 General Guidance
• Ensure normal and emergency facility ratings developed match what is in EMS, used by transmission planners in studies, reported to the RC (SPP, MISO), TSP (SPP, MISO) and the Planning Coordinator (SPP, MISO).
• Ensure documentation on changes made to facility ratings by engineering are provided to operations.
• Clarify transformer ratings with cooling in FRM and rating spreadsheets.
• Maintain a revision history on FRM.
12
FAC-008-3 General Guidance
• Verify most limiting element equipment rating of terminals with 3rd party owners , re-verify periodically.
• Verify all RSAW narratives explain evidence of compliance.
• Document basis for emergency ratings for components.
• If using open bus configuration for ring/breaker and a half scheme (two paths), verify Operations has normal and contingency Facility Rating in EMS in real time.
• These open buses ratings should be considered when switching and approving outages.
13
FAC-008-3 General Guidance
• Ensure you have internal controls to: Maintain and verify changes in facility ratings.
Maintain an inventory of equipment requiring ratings.
Consider sampling of facilities to verify ratings consistent with FRM and consistent with ratings used in operations.
Verify that as-built conditions are reviewed to ensure the design ratings are still correct.
Verify RC and TOP seasonal facility ratings are the same.
14
FAC-008-3 General Guidance
• Review questions to ask: Is everything in the one-line diagram in series
considered in the development of the facility rating?
Are the most limiting elements identified?
Are they the same or different for normal and emergency ratings?
15
PRC-005 Guidance
• PRC-005-3(i) adds Automatic Reclosing Maintenance (effective 4/1/16).
• PRC-005-4 adds Sudden Pressure Relay Maintenance (effective 10/1/16).
• PRC-005 is not applicable to dispersed generation resources below an aggregate of 75 MVA (same position as the dispersed generation resource white paper).
• The implementation plan established under PRC-005-2 remains unchanged except for the addition of Automatic Reclosing and Sudden Pressure Relays.
16
PRC-005 Transition
• While in transition from version 1, be prepared to identify: All applicable Protection System components.
The plan under which they were last maintained; Legacy standard or PRC-005-2 (or successor standard-v3(i) or v4).
• Maintain documentation to demonstrate compliance with the Legacy Standards. until the entity meets the requirements of PRC-005-2 in
accordance with this implementation plan.
17
PRC-005 Implementation
• Each entity will maintain each of their Protection System components according to their maintenance program already in place for the legacy standards or according to the program for PRC-005-2, but not both.
• Once an entity has designated PRC-005-2 as its maintenance program for specific Protection System components, they cannot revert to the legacy program for those components. (You get to make the call, but you can’t take it back.)
• New components added after April 1, 2015 must be in the PRC-005-2 program and the maintenance activities prescribed.
18
PRC-005 Implementation
• Phased implementation based on maximum allowable interval.
• The Implementation Timetable does not reset the clock for the maintenance interval.
• Retire Legacy Standards by April 1, 2027.
Implementation Plan
19
Implementation Timetable
20
21
PRC-005 Implementation Example A
22
PRC-005 Implementation Example B
PRC-005 Implementation
• Must remain in compliance with version 1 until verified compliance with activities described in the tables of version 2.
• Examples PRC-005-1b did not previously apply, but PRC-005-2 does
apply to the device. UFLS-CT/PTs-(12 year interval) The entity would need to complete the first test for 30 % of the applicable devices by 4/1/19. See slide 21.
PRC-005-1b previously applied, but there are new maintenance activities required under PRC-005-2. The device must continue to be maintained in accordance with the PRC-005-1b program until that device is first maintained in accordance with PRC-005-2, which must occur by 4/1/17 for devices with a one to two year test interval.
23
PRC-005 Implementation
PRC-005-1b previously applied, and previous maintenance essentially meets the requirements of PRC-005-2. In this case, the entity may simply “move” the device to the new program PRC-005-2 because the previous (PRC-005-1b) maintenance test supports the requirements of PRC-005-2. Having moved the device to PRC-005-2, the entity would then continue to maintain the device according to the intervals in the new PRC-005-2 program. See slide 20.
24
PRC-005 General Guidelines
• Evidence • Provide summary by component of previous test date,
most recent test and next test date to verify intervals and under what version they were tested.
• Clearly identify which relays have associated communications.
• Clearly indicate page number or highlighting of test results by component.
• Relay names on test forms should match RATSTATS or provide index.
25
PRC-005 General Guidelines
• Internal Controls What are some ways to check the electronic database to
ensure that it is complete? All components, all substations and generation.
How do people make sure new/upgraded substations are tracked in the program?
How is the work of relay technicians reviewed? Did they complete the work, mitigate any issues, as found as left?
26
• Definition – Unresolved Maintenance Issue A deficiency identified during a maintenance activity that
causes the component to not meet the intended performance, cannot be corrected during the maintenance interval, and requires follow-up action.
The entity “shall demonstrate efforts to correct any identified Unresolved Maintenance Issues.”
• Measure- evidence may include but is not limited to work orders, replacement Component orders, invoices, project schedules with completed milestones, return material authorizations (RMAs) or purchase orders.
PRC-005 R5
27
Evidence • List of Unresolved Maintenance Issues: April 1, 2015. Any UMI on this date will be reviewed back to 2014. Tracking from April 1, 2014 for UMI will be needed.
• List is to include: Resolved Maintenance Issues. Remaining Unresolved Maintenance Issues.
PRC-005 R5
28
• Please feel free to ask…
Jim Williams Lead Compliance Specialist 501-614-3261 [email protected]
Jeff Rooker Lead Compliance Engineer 501-614-3278 [email protected]
Questions
29
Fall Workshop
2
Watch “SPP RE 101” videos!
SPP.org > Regional Entity > Outreach
2016 Outreach • Workshops
March 15-16, Spring 2016 Workshop, Little Rock June 8-9, CIP 2016 Workshop, Little Rock Sept. 20-21, Fall 2016 Workshop, Oklahoma City
• Trustee Meetings January 25, 2016 - Oklahoma City April 25, 2016 - Santa Fe July 25, 2016, Rapid City October 24, 2016 - Little Rock
3
4
New Standards: October 1, 2015 • COM-001-2 Communications
• CIP-014-1 — Physical Security (NEW)
• PRC-006-2 -Automatic Underfrequency Load Shedding
5
New Standards: January 1, 2016
• FAC-001-2 — Facility Interconnection Requirements
• FAC-002-2 — Facility Interconnection Studies
• NUC-001-3— Nuclear Plant Interface Coordination
New Standards: April 1, 2016 • CIP Version 5 Standards
• PRC-005-3 — Protection System and Automatic Reclosing Maintenance
New Standards: July 1, 2016
• COM-002-4--Operating Personnel Communications Protocols
• MOD-025-2--Verification and Data Reporting of Generator Real and Reactive Power Capability and Synchronous Condenser Reactive Power Capability
• MOD-031-1—Demand and Energy Data
• PER-005-2 Operations Personnel Training
• PRC-004-4 Protection System Misoperation Identification and Correction
6
New Standards: July 1, 2016 (Cont.)
• PRC-019-2 Coordination of Generating Unit or Plant Capabilities, Voltage Regulating Controls, and Protection
• PRC-024-2 Generator Frequency and Voltage Protective Relay Settings
• BAL-001-2 Real Power Balancing Control Performance
7
VEGETATION CONTACTS
8
Last Reportable
Last Actionable
NERC (1Q-2015 Last Report)
1Q-2015 3Q-2012
SPP RE (2Q-2015 Last Report)
1Q-2013
3Q-2010
9
Most Violated Standards Based on rolling 12 months through 8/31/15 [Represents ~ 93% of total violations]
* NERC as of June 30, 2014 ** Not in NERC Rolling 12 month Top Ten
SPP RE
Rank
NERC 12 Month
Rank * Standard Description Number of
Violations Risk Factor
1 7 CIP-002 Critical Cyber Asset Identification 23 High/Lower
2 1 CIP-007 Systems Security Management 20 Med./Lower
3 3 CIP-005 Electronic Security Perimeters 13 Med./Lower
4 2 CIP-006 Physical Security - Critical Cyber Assets 12 Med./Lower
5 4 CIP-004 Personnel & Training 5 Med./Lower
6 8 VAR-002 Network Voltage Schedules 5 Med./Lower
7 6 CIP-003 Security Management Controls 4 Med./Lower
8 5 PRC-005 Protection System Maintenance 4 High/Lower
9 9 CIP-009 Recovery Plan for Critical Cyber Assets 3 Med./Lower
10 10 FAC-008 Facility Ratings (includes FAC-009) 2 Med./Lower
NERC Facility Ratings Alert Status • 6 Transmission Owners have extensions
• Work has extended into 2016 in some cases
• Final count in SPP RE:
– 7,100 discrepancies found
– 100% High priority lines complete as of 7/15/15
– 72% Medium priority lines complete as of 7/15/15 Up from 68% on 12/31/14
– 85% Low priority lines complete as of 7/15/15 Up from 67% on 12/31/14
10
SPP RE Misoperation Report as of Q2-15
Causes of Misoperations Q2-13 to Q2-15
Misoperation Causes as a percentage Q2-14 to Q2-15
Operation/Misoperation Comparison
Misoperations by Relay Type
Misoperations by Type