north american electric reliability corporation - nerc … › pa › stand › workshops › day...
TRANSCRIPT
RELIABILITY | RESILIENCE | SECURITY
WelcomeNERC 2019 Compliance and Standards Workshop Embassy Suites by Hilton Minneapolis
July 23 2019
RELIABILITY | RESILIENCE | SECURITY2
It is NERCrsquos policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition This policy requires the avoidance of any conduct that violates or that might appear to violate the antitrust laws Among other things the antitrust laws forbid any agreement between or among competitors regarding prices availability of service product design terms of sale division of markets allocation of customers or any other activity that unreasonably restrains competition
NERC Antitrust Compliance Guidelines
RELIABILITY | RESILIENCE | SECURITY3
Participants are reminded that this meeting is public Notice of the meeting was posted on the NERC website and widely distributed The notice included the number for dial-in participation Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities
Public Announcement
RELIABILITY | RESILIENCE | SECURITY4
bull Safety Fire exits Calling 911 Alerting hotel staff CPR
bull Other Logistics QampA Restrooms
General Announcements
RELIABILITY | RESILIENCE | SECURITY5
bull 900 ndash 1200 pm NERC 101 Howard Gugel Steve Noess
bull 1200 ndash 100 pm Lunchbull 100 ndash 110 pm Welcome and Introductions Chris Boyd-Witherspoon
bull 110 ndash 130 pm Keynote Remarks Sara Patrick
bull 130 ndash 200 pm Application of the ERO Enterprisersquos Reliability Toolkit Mark Lauby
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY2
It is NERCrsquos policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition This policy requires the avoidance of any conduct that violates or that might appear to violate the antitrust laws Among other things the antitrust laws forbid any agreement between or among competitors regarding prices availability of service product design terms of sale division of markets allocation of customers or any other activity that unreasonably restrains competition
NERC Antitrust Compliance Guidelines
RELIABILITY | RESILIENCE | SECURITY3
Participants are reminded that this meeting is public Notice of the meeting was posted on the NERC website and widely distributed The notice included the number for dial-in participation Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities
Public Announcement
RELIABILITY | RESILIENCE | SECURITY4
bull Safety Fire exits Calling 911 Alerting hotel staff CPR
bull Other Logistics QampA Restrooms
General Announcements
RELIABILITY | RESILIENCE | SECURITY5
bull 900 ndash 1200 pm NERC 101 Howard Gugel Steve Noess
bull 1200 ndash 100 pm Lunchbull 100 ndash 110 pm Welcome and Introductions Chris Boyd-Witherspoon
bull 110 ndash 130 pm Keynote Remarks Sara Patrick
bull 130 ndash 200 pm Application of the ERO Enterprisersquos Reliability Toolkit Mark Lauby
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY3
Participants are reminded that this meeting is public Notice of the meeting was posted on the NERC website and widely distributed The notice included the number for dial-in participation Participants should keep in mind that the audience may include members of the press and representatives of various governmental authorities
Public Announcement
RELIABILITY | RESILIENCE | SECURITY4
bull Safety Fire exits Calling 911 Alerting hotel staff CPR
bull Other Logistics QampA Restrooms
General Announcements
RELIABILITY | RESILIENCE | SECURITY5
bull 900 ndash 1200 pm NERC 101 Howard Gugel Steve Noess
bull 1200 ndash 100 pm Lunchbull 100 ndash 110 pm Welcome and Introductions Chris Boyd-Witherspoon
bull 110 ndash 130 pm Keynote Remarks Sara Patrick
bull 130 ndash 200 pm Application of the ERO Enterprisersquos Reliability Toolkit Mark Lauby
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY4
bull Safety Fire exits Calling 911 Alerting hotel staff CPR
bull Other Logistics QampA Restrooms
General Announcements
RELIABILITY | RESILIENCE | SECURITY5
bull 900 ndash 1200 pm NERC 101 Howard Gugel Steve Noess
bull 1200 ndash 100 pm Lunchbull 100 ndash 110 pm Welcome and Introductions Chris Boyd-Witherspoon
bull 110 ndash 130 pm Keynote Remarks Sara Patrick
bull 130 ndash 200 pm Application of the ERO Enterprisersquos Reliability Toolkit Mark Lauby
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY5
bull 900 ndash 1200 pm NERC 101 Howard Gugel Steve Noess
bull 1200 ndash 100 pm Lunchbull 100 ndash 110 pm Welcome and Introductions Chris Boyd-Witherspoon
bull 110 ndash 130 pm Keynote Remarks Sara Patrick
bull 130 ndash 200 pm Application of the ERO Enterprisersquos Reliability Toolkit Mark Lauby
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY6
bull 200 ndash 330 pm Internal Controls Joseph Baugh Keith Smith
bull 330 ndash 345 pm Breakbull 345 ndash 445 pm Internal Controls Panel Ryan Mauldin Paolo DrsquoAlessandro Kristen Long Thad Ness
bull 445 ndash 500 pm General QampA | Closing Announcements Chris Boyd-Witherspoon
bull 530 ndash 630 pm Reception
Todayrsquos Agenda
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY7
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY
Keynote Remarks
Sara Patrick President and CEO MRO2019 Compliance and Standards WorkshopJuly 23 2019
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Welcome to MinnesotaNERC Compliance and Standards Workshop
July 23 2019
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Whyte Ridge retention pond Winnipeg Manitoba Source Winnipeg Free Press
White Bear Lake Minnesota
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
A highly reliable and
secure North
American bulk power
system
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY
Framework to Address Known and Emerging Reliability Risks
Mark Lauby NERC Senior Vice President and Chief Reliability Officer2019 Compliance and Standards WorkshopJuly 23 2019
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY2
Bulk Power System Reliability
and Security
Bulk Power System Resilience
Bulk Electric System Reliability
Resilience is a Characteristic of a Reliable System
Solely the Bulk Power System Does not include local distribution systems
NERC Reliability Assurance bull Standardsbull Compliancebull Enforcementbull Registrationbull Certification
NERC Reliability Assessments and Performance Analysisbull Reliability Assessmentsbull System Analysisbull Events Analysisbull Performance Analysisbull Situational Awareness
Operator Training
E-ISAC
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY3
Resilience Indicators
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Trecovered
Disruptive Event
Rel
iabi
lity
RTarget
Degradation Recovery Recovery State
Improved
Deteriorated
Robustness
t
If Detectable Pre-Position
Amplitude
Stable
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY4
Ensuring ALR
R(t)
Tdisruption
RALR-Nadir
Trebound
R100 Reliable
Disruptive Event
Reliable Operation
Avoid amp control (eg serve critical load)
Rel
iabi
lity
RTarget
Recovered Steady-State
If Detectable Pre-Position
Trecovered t
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY5
Declaration amp Problem
bull DeclarationThe Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks
bull Problem Statement ERO Enterprise has continued to lead industry in reliability and security
initiatives to identify known and emerging risks and their mitigation The reliability toolkit for risk mitigation the ERO currently deploys includes
for example webinars and conferences lessons learned Alerts Guidelines and standard development
A framework is needed to that provides a transparent process using industry and ERO Enterprise experts
Framework must include risk identification deployment of mitigation strategies to monitoring the success of these mitigations
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY6
Six-Step Framework
1 Risk Identification2 Risk Prioritization3 Mitigation Identification and Evaluation4 Mitigation Deployment5 Measurement of Success6 Monitor Residual Risk
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY7
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY8
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY9
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY10
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY11
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY12
Six-Step Framework
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY13
Guiding Principles
1 Reliability Standards address sustained risks with moderate impacts which are probable and severe impacts which are probable or improbable
2 Reliability Guidelines used to address sustained risks that are probable or improbable Guidelines are also used for items not in the ERO Enterprisersquos jurisdiction or are practices that improve reliability beyond standards
3 Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable
4 Alerts will be used for time sensitive information for information to request action or direct action
5 A combination of tools can be used towards gaining industry action setting the stage for standards as well as addressing a risk while a Standard is being developed Likelihood pervasiveness and severity have a bearing when a Reliability Standard is required
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY14
Risk Tools and Time Horizon
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY15
Illustrative Diagram
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY16
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1Supply Chain
Risk Management Audit Approach amp Internal Controls
NERC Compliance
amp Standards Workshop
Minneapolis MN
July 23 2019
Dr Joseph B BaughSenior Compliance
AuditormdashCyber Security
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
WECC SCRM Outreach Disclaimer
This presentation discusses best practices for risk identification and assessment as well as common project management and procurement principles (see also NERC 2017 April Implementation Guidance pp 1ndash10)
It may provide an entity with a basic road map to develop its CIP-013 SCRM program risk identification and assessment methodology processes and procedures to support compliance with the Standard and enhance the reliability and security of the BES
Information and suggestions supplied in this presentation should not be considered a prescriptive solution that will guarantee compliance with CIP-013-1 as each entity has a unique blend of applicable BCS vendors products and required services that may require a different approach
Thus one size does not fit all as the devil is always in the details of any specific plan
2
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
SCRM amp Internal Controls What is an internal control relative to compliance
bull One or more processes that ensure an entity meets its objectives and goals for operational effectiveness efficiency and accurate reporting to demonstrate compliance with the NERC Reliability Standards Requirements andor Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards
In order to develop a strong set of internal controls for CIP-013-1 an entity must develop and document its R1- R3 SCRM plan(s) processes and procedures
A prudent entity will develop internal controls for ensuring timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter
3
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
SCRM Security Objective
CIP-013-1 impacts the procurement of products and services from vendors that are related to High and Medium BCS
The SCRM security objective states ldquoTo mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systemsrdquo (CIP-013-1 Purpose section p 1)
CIP-013-1 audits will begin next year
4
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Developing SCRM Plans amp Internal Controls
What should I consider or include when developing my CIP-013-1 SCRM procurement plan
bull R1 procurement plan and processes Part R11
Part 12 (Parts R121 ndash R126)
CIP-005-6 (Parts 24 25)
CIP-010-3 (Part 16)
bull R2 implementation aspects (ie How will I document each applicable procurement implementation)
bull R3 review and approval processes
Develop internal controls to ensure timely and accurate compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes
5
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Specific Vendor Risks The Standard establishes minimum expectations for six key
areas [R121 ndash R126] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products andor services
1 Notifications of vendor-identified incidents
2 Coordination of responses to such incidents
3 Notification of termination of remote or onsite access to BCS for vendor representatives
4 Disclosure by vendors of known vulnerabilities
5 Verification of software and patch integrity and authenticity and
6 Coordination of controls for vendor-initiated IRA and system-to-system remote access
6
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 R1
CIP-013-1 recognizes the risks posed by compromised BCS through vendor products andor services and expressly requires applicable Responsible Entities to ldquodevelop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems The plan(s) shall includerdquo [see Parts R11 and R12] How can I comply with R1
bull ldquoResponsible entities should consider how to leverage the various components and phases of their processes (eg defined requirements request for proposal bid evaluation external vendor assessment tools and data third party certifications and audit reports etc) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risksrdquo(NERC 2017 April SCRM Implementation Guidance General Considerations p 1)
7 Bold font indicates [emphasis added] where applicable to draw attention to specific items
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R11
One or more process(es) used in planning for the procurement of BES Cyber Systems to identify and assess cyber security risk(s) to the Bulk Electric System from vendor products or services resulting from
i procuring and installing vendor equipment and software and ii transitions from one vendor(s) to another vendor(s)
What does ldquoidentify and assessrdquo mean in terms of developing and documenting the R1 SCRM plan
Should an entity mitigate identified cyber security risksbull Yes remember the CIP-013-1 Security Objective ldquoTo mitigate cyber
security riskshelliprdquo (p 1) which is reinforced by the note in the Requirement 1 Rationale section ldquoThe security objective is to ensure entities consider hellip options for mitigating these risks (Part 11 p 11)
8
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R12
One or more process(es) used in procuring BES Cyber Systems that address the following as applicable Do I really need to include specific processes
andor procedures for each of the six R12 Parts in my SCRM procurement plan
What does ldquoas applicablerdquo mean in terms of my R1 plan and R2 implementation
9
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R121
Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity encourage vendors to
provide such notifications What would a prudent entity do to mitigate
identified risks
10
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R122
Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity How can an entity establish this coordination
of responses for such incidents What would a prudent entity do if and when
notified of vendor-identified SCRM-related incidents
11
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R123
Notification by vendors when remote or onsite access should no longer be granted to vendor representatives How can an entity encourage vendors to
provide such notifications What would a prudent entity do upon such
access notifications
12
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R124
Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity How can an entity encourage vendors to
provide such disclosures How would a prudent entity mitigate the risks
of such vulnerabilities
13
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R125
Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and How can an entity verify the software integrity
and authenticity of software and patches provided by vendors
What would a prudent entity do once the integrity and authenticity of a software update or patch is verified
14
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
CIP-013-1 Part R126
Coordination of controls for (i) vendor-initiated Interactive Remote Access and (ii) system-to-system remote access with a vendor(s) How would a prudent entity establish
coordination of controls for remote access
15
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Documenting Parts 121-126
How can an entity document compliance with Parts 121 through 126
bull In its R1 procurement planbull For each applicable R2 implementation
16
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Donrsquot Forget CIP-005 amp CIP-010
A prudent entity will prepare for compliance with CIP-005-6 Part 24 and Part 25 as well as CIP-010-3 Part 16 on or before the effective date (July 1 2020)
These components will be audited by the CIP-005 and CIP-010 audit teams as applicable
17
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Auditing CIP-013-1 R1
What R1 evidence will the CIP-013 audit team expect
What R1 internal controls would a prudent entity develop
18
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Implementing the SCRM Plan (R2)
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1 What R2 evidence demonstrating an
implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date
Archive SCRM evidence on a case-by-case basis What R2 internal controls would a prudent entity
develop
19
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Approving the SCRM Plan (R3)
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months Initial review and approval is due on or before July 1
2020 (NERC 2017 July Implementation Plan Initial Performance section p 3)
No more than 15 calendar months apart thereafter What R3 evidence will the CIP-013 audit team expect What R3 internal controls would a prudent entity develop
20
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Looking Ahead to CIP-013-2 Review the 2019 NERC Staff Report on SCRM
bull Addresses FERCrsquos directive to ldquodevelop modifications to include EACMS associated with medium and high BES Cyber Systemsrdquo (FERC Order 850 para 5 p 54994) within 24 months of the effective date of Order 850
bull Also addresses FERC concerns relative to the SCRM impacts of PACS PCA and LIBCS
bull Provides insight into various industry white papers (NERC Supply Chain Risk Mitigation Program)
Expect additional SCRM compliance obligations for EACMS associated with high and medium impact BCS with more to come later on from FERC NERC and the SDT
The SCWG is developing SCRM procurement documents which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents
21
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
ERO References FERC (2018 October 26) Order No 850 CIP-013-1mdashSupply Chain Risk
Management Reliability Standard Final Rule 165 FERC para 61 020 18 CFR Part 40 Docket No RM17-13-000 In Federal Register 83(208) pp 53992-54005 Retrieved from httpswwwgpogovfdsyspkgFR-2018-10-26pdf2018-23201pdf
NERC (2019 February 9) Cybersecurity Supply Chain Risks Staff Report and Recommended Actions [Draft] In MRC Agenda Item 9 pp 4-43 Retrieved from httpswwwrtoinsidercomwp-contentuploadsDraft-NERC-Supply-Chain-Report-2-6-19pdf
NERC (2018 October 18) CIP-013-1 ndash Cyber Security - Supply Chain Risk Management [Reliability Standard] Retrieved fromhttpswwwnerccompaStandReliability20StandardsCIP-013-1pdf
NERC (n d) Supply Chain Risk Mitigation Program [Links to Industry White Papers] Retrieved from httpswwwnerccompacompPagesSupply-Chain-Risk-Mitigation-Programaspx
22
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Industry References Executive Order 13873 (2019 May 17) Securing the Information and Communications Technology
and Services Supply Chain In Federal Register 84(96) pp 22689-22692 Retrieved fromhttpswwwgovinfogovcontentpkgFR-2019-05-17pdf2019-10538pdf
Executive Order 13636 (2013 February 19) Improving Critical Infrastructure Cybersecurity In Federal Register 78(33) pp 11739-11744 Retrieved fromhttpswwwfederalregistergovdocuments201302192013-03915improving-critical-infrastructure-cybersecurity
NATF (2017 November 6) Software Integrity amp Authenticity Implementation Guidance for CIP-010-3 R1 Requirement Part 16 [ERO Approved Guidance Document] Retrieved fromhttpswwwnerccompacompguidanceEROEndorsedImplementationGuidanceCIP-010-320R1620Software20Integrity20and20Authenticitypdf
24
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Other References Department of Homeland Security [DHS-CISA] (2019 May 20) Unmanned Aircraft
Systems (UAS) - Critical Infrastructure Retrieved fromhttpswwwdhsgovcisauas-critical-infrastructure
Network Security (2018 August) Russian Hackers Breach US Electricity Network Elsevier Press ISSN 1353-4858 (pp 1-3) Retrieved fromhttpswwwsciencedirectcomsciencearticlepiiS1353485818300722via3Dihub
Smith R (2018 July 23) Russian Hackers Reach US Utility Control Rooms The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesrussian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110
Smith R amp Barry R (2019 January 10) Americarsquos Electric Grid Has a Vulnerable Back Doormdashand Russia Walked Through It The Wall Street Journal [Online] Retrieved from httpswwwwsjcomarticlesamericas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
25
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Audit Approach amp IC Summary
Approach CIP-013-1 compliance as a project with well-defined tasks timelines and processes designed to
bull Develop and document the R1 SCRM procurement planbull Develop an R2 implementation plan for the R1 SCRM planbull Approve the initial R1 SCRM plan on or before July 1 2020bull Ensure the R1 SCRM procurement plan is reviewed updated and approved at
least once every 15 calendar months thereafter
Maintain R1-R3 audit evidence relative to new procurement of all vendor products andor services obtained for High and Medium BCS after July 1 2020
Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM procurement plans processes and procedures
Be proactive and monitor for future changes in CIP-013-2 Time permitting are there any other questions
26
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Contact
Dr Joseph B BaughSenior Compliance AuditormdashCyber Security
jbaughweccorg
27
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Keith SmithManager OampP Compliance Monitoring
Facility Rating Internal Controls
Meeting Title Date
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
2
Objectives
Establish Facility Ratings that respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility Consideration of all applicable equipment Accurate Equipment Ratings
Ensure established Facility Ratings are consistently utilized Protection Analysis Monitoring
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
3
Internal Controls
Internal controls are the processes and tools an entity utilizes to meet the identified objectives
All entities will have some level of internal controls in place
Internal control expectations dependent on inherent risk of entity
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
4
Internal Controls
Methodology
Inventory
Verification
Change Management
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
5
Facility Rating Methodology
FAC-008 requires registered entities to have a methodology
andor documentation that includes the method
assumptions and process for determining
Facility Ratings
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
6
Facility Rating Methodology Example 1
Low Bar Power Company has a methodology addressing each item required by the Standard at a high level
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
7
Facility Rating Methodology Example 2
Max Reliability Power Company has a detailed methodology that address each item in the Standard and includes Annual reviews Roles and responsibilities Identification of tools Step-by-step work instructions
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
8
Inventory
Inventory tracking of Facility Ratings the equipment that comprises each Facility and
all Equipment Ratings is necessary for
- Establishing Facility Ratings- Evaluating change impacts- Verifying Facility Ratings
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
9
Inventory Example 1
Low Bar Power Company maintains a spreadsheet that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
10
Inventory Example 2
Max Reliability Power Company maintains a database that identifies the series equipment Equipment Ratings and Facility Rating for its Facilities and includes Equipment Rating documentation Flagging when Equipment Rating changes impact Facility Ratings Identification of Facilities with unique characteristics Required fields dependent on characteristics of Facilities Automated notification for Facility Rating changes
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
11
Verification
Verification of Facility Ratings is a detective control to help ensure
Facility Ratings respect the most limiting
applicable Equipment Rating of the individual
equipment that comprises that Facility
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
12
Verification Example 1
Low Bar Power Company states that it verified its Facility Ratings using as-built one-line diagrams at the time it established its Facility Ratings
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
13
Verification Example 2
Max Reliability Power Company performs annual field inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate Anomalies evaluated for applicability to other Facilities Identified Facilities prioritized for future field inspections
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
14
Change Management
Change management processes are necessary to ensurebull Equipment Rating changes are
evaluated to identify impacts to Facility Ratings
bull Facility Rating changes are evaluated to identify impacts to protection analysis and monitoring of the Bulk Electric System
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
15
Change Management Example
Facility Ratings
TOP-003-3
TOP-001-4
TOP-002-4
TPL-001-4
IRO-010-2
MOD-032-1
PRC-023-4
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
16
Change Management Example 1
Low Bar Power Company has no documented change management processes but states Its personnel will know to review Facility Ratings if equipment changes
occur Appropriate personnel should receive an email when Facility Ratings
change
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
17
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for equipment changes that include Evaluation of changes by subject matter experts Required change approvals prior to changes being implemented Notification to update inventory after changes implemented Confirmation that changes implemented as planned
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
18
Change Management Example 2
Max Reliability Power Company has robust documented change management processes for Facility Rating changes that include Automated notification of Facility Rating changes
bull Protection Engineeringbull System Planningbull System Operationsbull Operations Support
Checklist to verify appropriate follow-up action(s) taken Periodic comparisons with internal and external models
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
19
Questions
Meeting Title Date
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
RELIABILITY | RESILIENCE | SECURITY
BreakWebinar participants We will return at 345 pm Central
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Safety First and Always
NERC 2019 Compliance amp Standards Workshop
Eversource Energy Service Company
July 23 ndash 24th 2019
Minneapolis MN 55402
Paolo DrsquoAlessandro JDSenior Specialist Reliability Compliance
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Safety First and Always
Eversource Energy Service Territories Eversource provides electric service in CT
MA and NH states through the following regulated subsidiaries (all doing business as Eversource Energy)ndash Connecticut Light amp Power with over
1270000 electric customersndash NSTAR Electric including former Western
Massachusetts Electric Company with 1380000 electric customers
ndash Public Service of New Hampshire with 528000 electric customers
Eversource Energy Service Company provides certain functions such as transmission operations and transmission planning
Eversource provides gas distribution through Yankee Gas Services Company and NSTAR Gas delivering natural gas to approximately 524000 customers
Eversource serves nearly 230000 water customers through Aquarion Water Company
Eversource has approx 8000 employees
ISO-NENSTAR
CONVEX
ESCC
2
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Safety First and Always
Eversource Energy One Registered Entity
bull Effective January 1 2018 Eversource Energy Service Company (NCR07176) registration was consolidated with
bull Connecticut Light and Power (NCR07044)bull NSTAR Electric Company (NCR7180)bull Public Service of New Hampshire (NCR07203)bull Western Massachusetts Electric (NCR07232)
bull Benefits of registration consolidation include the followingbull Supports efforts for consistency and best practice across 3 statesbull Efficiency through consolidation of external audits
bull In January 2018 PSNH completed the sale of its fossil fuel and generation units therefore Eversource is no longer a GO or GOP
bull As of January 2018 Eversource Energyrsquos functional registration is nowDi
strib
utio
nPr
ovid
er
Tran
smiss
ion
Ow
ner
Tran
smiss
ion
Ope
rato
r
Tran
smiss
ion
Plan
ner
Tran
smiss
ion
Serv
ice P
rovi
der
DP TO TOP TP TSPEversource Energy Service CompanyNCR07176 X X X X X
Safety First and Always
A Strong Compliance Culture
bull Continued efforts to consolidate three state organizations for consistency and identification of best practices tools and controls
bull Strong senior management commitment Executives are regularly engaged in supporting compliance related activities
bull Dedicated departments to focus on compliance (Reliability Compliance Operational Compliance and Internal Audit)
bull Work activities foster a systematic approach to operational excellence and compliance Reportability Determinations Root Cause Analysis Self Assessments gt Lessons Learned gt Roadshow Presentations Internal Audits Events Analysis Training (ie CIP annual training)
bull Eversource SMEs lead on embedding compliance within their respective functional teams SME responsibilities primarily effect the following enterprise level groups
Safety First and Always
Organization Dedicated Committees amp Departments to Ensure Compliance
Committees
Compliance and Ethics Committee
Reliability Steering Committee - Quarterly
Compliance Work Plan (CWP) - Monthly
Departments
Reliability Compliance Operational Compliance
Internal Audit
Enterprise Risk Management
Safety First and Always
Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following
Eversource - Enterprise-Wide Controls
Reliability Compliance Department
Oversee and assist the business in ensuring compliance with all applicable Reliability Standards amp Requirements
Compliance and Ethics Committee
Executive level committee that oversees all compliance activity within the organization
Internal Audit Independently conducts periodic audits of compliance activities including NERC Reliability Standards
Enterprise Risk Management
Framework and process that enables enterprise wide view of business risks and how they are appropriately managed and mitigated
Compliance Work Plan Monthly meetings to brief leadership on compliance activity including (1) KPIrsquos (2) standards development amp implementation (3) review of compliance activity (4) emerging issues
CATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories
Safety First and Always
Ensure New Technologies are Secure (IT amp OT)bull Privilege Access Mgmtbull Application testingbull Penetration testingbull Mobile device security
Ensure Cloud Technologies are Securebull 3rd party reviewsbull Identity amp Access Mgmtbull End Point Security bull Application isolation
Eversource Cyber Strategy
Ensure Strong Cyber Hygiene
Policies Vulnerability Management Anti-malware technology Security Monitoring Security Awareness Incident Response Encryption Secure Architecture
Secure Legacy Systems
Technologies that isolate or protect vulnerable systems from being exploited
Risk Based Defense In Depth strategy that evolves based on the business and industry trends
Ensure OTSCADA Systems are SecureDevice authentication Device and network monitoringStrict externalremote access protocols
Safety First and Always
Eversource OampPCIP ICE Lessons Learned
In 2018 Eversource participated in both an OampP and CIP ICE exercise Positive feedback was received from SMEs and Senior Management on the following
While resource intensive the benefit of having a full review of internal controls enhancement to existing controls and the reduction in audit scope outweighed the impact to the line
Flowcharts were useful to demonstrate internal controls (detective preventative) that support ongoing compliance
If an entity decides to participate donrsquot underestimate the time needed to work with SMEs to review controls complete the ICE Template and create flowcharts
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
Organization Dedicated Committees amp Departments to Ensure Compliance
Committees
Compliance and Ethics Committee
Reliability Steering Committee - Quarterly
Compliance Work Plan (CWP) - Monthly
Departments
Reliability Compliance Operational Compliance
Internal Audit
Enterprise Risk Management
Safety First and Always
Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following
Eversource - Enterprise-Wide Controls
Reliability Compliance Department
Oversee and assist the business in ensuring compliance with all applicable Reliability Standards amp Requirements
Compliance and Ethics Committee
Executive level committee that oversees all compliance activity within the organization
Internal Audit Independently conducts periodic audits of compliance activities including NERC Reliability Standards
Enterprise Risk Management
Framework and process that enables enterprise wide view of business risks and how they are appropriately managed and mitigated
Compliance Work Plan Monthly meetings to brief leadership on compliance activity including (1) KPIrsquos (2) standards development amp implementation (3) review of compliance activity (4) emerging issues
CATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories
Safety First and Always
Ensure New Technologies are Secure (IT amp OT)bull Privilege Access Mgmtbull Application testingbull Penetration testingbull Mobile device security
Ensure Cloud Technologies are Securebull 3rd party reviewsbull Identity amp Access Mgmtbull End Point Security bull Application isolation
Eversource Cyber Strategy
Ensure Strong Cyber Hygiene
Policies Vulnerability Management Anti-malware technology Security Monitoring Security Awareness Incident Response Encryption Secure Architecture
Secure Legacy Systems
Technologies that isolate or protect vulnerable systems from being exploited
Risk Based Defense In Depth strategy that evolves based on the business and industry trends
Ensure OTSCADA Systems are SecureDevice authentication Device and network monitoringStrict externalremote access protocols
Safety First and Always
Eversource OampPCIP ICE Lessons Learned
In 2018 Eversource participated in both an OampP and CIP ICE exercise Positive feedback was received from SMEs and Senior Management on the following
While resource intensive the benefit of having a full review of internal controls enhancement to existing controls and the reduction in audit scope outweighed the impact to the line
Flowcharts were useful to demonstrate internal controls (detective preventative) that support ongoing compliance
If an entity decides to participate donrsquot underestimate the time needed to work with SMEs to review controls complete the ICE Template and create flowcharts
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following
Eversource - Enterprise-Wide Controls
Reliability Compliance Department
Oversee and assist the business in ensuring compliance with all applicable Reliability Standards amp Requirements
Compliance and Ethics Committee
Executive level committee that oversees all compliance activity within the organization
Internal Audit Independently conducts periodic audits of compliance activities including NERC Reliability Standards
Enterprise Risk Management
Framework and process that enables enterprise wide view of business risks and how they are appropriately managed and mitigated
Compliance Work Plan Monthly meetings to brief leadership on compliance activity including (1) KPIrsquos (2) standards development amp implementation (3) review of compliance activity (4) emerging issues
CATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories
Safety First and Always
Ensure New Technologies are Secure (IT amp OT)bull Privilege Access Mgmtbull Application testingbull Penetration testingbull Mobile device security
Ensure Cloud Technologies are Securebull 3rd party reviewsbull Identity amp Access Mgmtbull End Point Security bull Application isolation
Eversource Cyber Strategy
Ensure Strong Cyber Hygiene
Policies Vulnerability Management Anti-malware technology Security Monitoring Security Awareness Incident Response Encryption Secure Architecture
Secure Legacy Systems
Technologies that isolate or protect vulnerable systems from being exploited
Risk Based Defense In Depth strategy that evolves based on the business and industry trends
Ensure OTSCADA Systems are SecureDevice authentication Device and network monitoringStrict externalremote access protocols
Safety First and Always
Eversource OampPCIP ICE Lessons Learned
In 2018 Eversource participated in both an OampP and CIP ICE exercise Positive feedback was received from SMEs and Senior Management on the following
While resource intensive the benefit of having a full review of internal controls enhancement to existing controls and the reduction in audit scope outweighed the impact to the line
Flowcharts were useful to demonstrate internal controls (detective preventative) that support ongoing compliance
If an entity decides to participate donrsquot underestimate the time needed to work with SMEs to review controls complete the ICE Template and create flowcharts
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
Ensure New Technologies are Secure (IT amp OT)bull Privilege Access Mgmtbull Application testingbull Penetration testingbull Mobile device security
Ensure Cloud Technologies are Securebull 3rd party reviewsbull Identity amp Access Mgmtbull End Point Security bull Application isolation
Eversource Cyber Strategy
Ensure Strong Cyber Hygiene
Policies Vulnerability Management Anti-malware technology Security Monitoring Security Awareness Incident Response Encryption Secure Architecture
Secure Legacy Systems
Technologies that isolate or protect vulnerable systems from being exploited
Risk Based Defense In Depth strategy that evolves based on the business and industry trends
Ensure OTSCADA Systems are SecureDevice authentication Device and network monitoringStrict externalremote access protocols
Safety First and Always
Eversource OampPCIP ICE Lessons Learned
In 2018 Eversource participated in both an OampP and CIP ICE exercise Positive feedback was received from SMEs and Senior Management on the following
While resource intensive the benefit of having a full review of internal controls enhancement to existing controls and the reduction in audit scope outweighed the impact to the line
Flowcharts were useful to demonstrate internal controls (detective preventative) that support ongoing compliance
If an entity decides to participate donrsquot underestimate the time needed to work with SMEs to review controls complete the ICE Template and create flowcharts
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
Eversource OampPCIP ICE Lessons Learned
In 2018 Eversource participated in both an OampP and CIP ICE exercise Positive feedback was received from SMEs and Senior Management on the following
While resource intensive the benefit of having a full review of internal controls enhancement to existing controls and the reduction in audit scope outweighed the impact to the line
Flowcharts were useful to demonstrate internal controls (detective preventative) that support ongoing compliance
If an entity decides to participate donrsquot underestimate the time needed to work with SMEs to review controls complete the ICE Template and create flowcharts
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
FAC-003-4 Flowchart
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
TOP-002-4 Flowchart
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
MOD-032-1 Flowchart
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
CIP-011-2 Flowchart
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Safety First and Always
Questions
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l
Control DevelopmentKristen Long Sr Analyst
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 2
NERC CONTROLS DEVELOPMENT OVERVIEW
Gather existing information
bullNERC standardbullCurrent RSAWbullPolicies and procedures
bullEnforcement history
bullExisting controlsbullEtc
Kickoff meeting with BU
bullOutline the processbullCreate schedulebullDefine deliverables
Development meetings
bullReview the standard
bullDetermine the need for a process map
bullReview and updated existing controls
bullDevelop new controls and tests to address risks
Approval
bullControl ownersbullNERC Compliance SMEs
bullNERC Compliance management
Upload to GRC Tool
Purpose NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective corrective preventative) to address compliance reliability security financial andor operational risks and document the updated controls in Archer
DRAFT
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 3
Control Development
End Goal ndash develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy
Priority ndash start with CMEP standards focus on CMEP requirements with MedHigh VRF (2019)
Approach ndash tailored to the individual standardbull CMEP medhigh requirements vs entire standard
bull Complete process mapping where applicable
bull Consider all risks ndash compliance reliability security etc
bull Control amp Testing rigor based on violation risk factor VRF and enforcement history
bull Partner with Projects SME and BU SMEs
bull RSAW updates ndash where applicable
Archer ndash NERC Compliance
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 4
All controls address some type of risk compliance (RSAW measures) reliability (relay settings being in sync preventing cascading outages) security (unauthorized physical or cyber intrusion) financial operational
Items that could affect riskbull Monitoring objectives bull Inherent risk (CMEP)bull Known or potential internal deficiencies (eg inexperience of ownerstesters
complicated manual process etc) andbull Previous enforcement history
Risk Drives Robustness of Internal Controls
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 5
Approach to Control amp Test Deployment bull Requires a balancing of considerations
Control amp Test Balancing
No Violations
Established Process
Less persuasive evidence documentation fewer controls amp tests
More persuasive evidence documentation increased controls amp tests
= =
Lower Risk
Higher Risk
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 6
bull Create Process Map ndash process map is a visual depiction of the high level process It should include the following information
bull Flowchart style picture of process(es)bull Implementing ProceduresPoliciesbull Critical stepsbull Area responsibilitiesbull Known Risks bull Procedure stepsbull Link to requirements
How do I start
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 7FOR ILLUSTRATIVE PURPOSES ONLY
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 8
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 9
bull Is the control to the largest extent possible automatedbull Are compensating and supporting internal controls neededbull Is the level of documentation available for the control sufficientbull Are any controls necessary to meet the objective missingbull Even if the control operates as designed will it fail to meet the objective (if
so = improperly designed)
Additional Considerations
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 10
Quiz
a) A control captured in the GRC tool that automatically kicks off annually directing a specific employee perform a required compliance action 1 month ahead of the deadline
b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline
Identify the Preventative Control
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
HIGHLY SENSITIVE CONFIDENTIAL AND PROPRIETARY SEE NOTICE ON LAST PAGE Page 11
Quiz
a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1 2019 well within the mandated time periods
b) An electronic time stamped entry into the GRC tool or another application showing when the patch management was performed
c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date
d) Contemporarily made video of the employee performing the patch management on January 1 2019
What qualifies as evidence
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Xcel Energy Overview
July 23 2019
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Employees 11865Natural gas operationsbull Customers 20 millionbull Transmission 2209 milesbull Distribution 35112 milesElectricity operationsbull Customers 36 millionbull Transmission 20000 milesbull Distribution 75000 miles
Company Profile ndash Xcel Energy
Xcel Energy is an electric and natural gas company with annual revenues of $114 billion Based in Minneapolis Minn we have regulated operations in eight Midwestern and Western states and provide a comprehensive portfolio of energy-related products through four operating companies
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Xcel Energy
3
Northern States Power Company-
MinnesotaNorthern States
Power Company-Wisconsin
Public Service Company of
Colorado
Southwestern Public Service
MRO- NSP (NSPM amp NPSW)- SPS
WECC- PSCO
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
Our Strategic Priorities
Service Revenue amp customer-Focused Assets
Customer Effort amp Cost to Serve
4
BROADENEconomic growth and use of clean energy
HELP Customers be more efficient and lower energy use
IMPROVEGrid utilization effectiveness and economics
EXPAND Role and scope of propositions we offer
LOWER Total cost effort and time to serve customers
Lead the Clean Energy Transition
Enhance the Customer Experience Keep Bills Low
LEAD THE CLEAN ENERGY TRANSITION
ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW
Leverage competitive advantages to reduce emissionsimprove grid performance and provide customer value
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-
RELIABILITY | ACCOUNTABILITY1
- 1 Opening Announcements
-
- Welcome
- NERC Antitrust Compliance Guidelines
- Public Announcement
- General Announcements
- Todayrsquos Agenda
- Todayrsquos Agenda
- Question and Answers
-
- 2 Keynote Remarks
-
- Slide Number 1
- Welcome to Minnesota
- Slide Number 3
- Slide Number 4
- Slide Number 5
- Slide Number 6
- Slide Number 7
- Slide Number 8
- Slide Number 9
-
- 3 Application of the ERO Enterprises Reliability Toolkit
-
- Slide Number 1
- Resilience is a Characteristic of a Reliable System
- Resilience Indicators
- Ensuring ALR
- Declaration amp Problem
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Six-Step Framework
- Guiding Principles
- Slide Number 14
- Illustrative Diagram
- Questions and Answers
-
- 4 CIP-013-1 Case Study
- 5 FAC-008 Case Study
-
- Facility Rating Internal Controls
- Objectives
- Internal Controls
- Internal Controls
- Facility Rating Methodology
- Facility Rating Methodology Example 1
- Facility Rating Methodology Example 2
- Inventory
- Inventory Example 1
- Inventory Example 2
- Verification
- Verification Example 1
- Verification Example 2
- Change Management
- Change Management Example
- Change Management Example 1
- Change Management Example 2
- Change Management Example 2
- Questions
-
- 6 July 23 Afternoon Break
- 7 Compliance Standards Workshop Eversource
-
- NERC 2019 Compliance amp Standards WorkshopEversource Energy Service Company
- Eversource Energy Service Territories
- Eversource Energy One Registered Entity
- A Strong Compliance Culture
- Organization Dedicated Committees amp Departments to Ensure Compliance
- Slide Number 6
- Eversource Cyber Strategy
- Eversource OampPCIP ICE Lessons Learned
- FAC-003-4 Flowchart
- TOP-002-4 Flowchart
- MOD-032-1 Flowchart
- CIP-011-2 Flowchart
- Slide Number 13
-
- 8 Compliance Standards Workshop Entergy
-
- Slide Number 1
- Slide Number 2
- Archer ndash NERC Compliance
- Risk Drives Robustness of Internal Controls
- Control amp Test Balancing
- How do I start
- Slide Number 7
- Slide Number 8
- Additional Considerations
- Slide Number 10
- Slide Number 11
-
- 9 Compliance Standards Workshop Xcel Energy
-
- Slide Number 1
- Company Profile ndash Xcel Energy
- Xcel Energy
- Our Strategic Priorities
- Slide Number 5
-
- 10 General Questions and Answers
-