NERC Reliability Working Group

beansproutscompleteΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 5 μήνες)

75 εμφανίσεις

NERC Reliability Working Group

July 25, 2013

A
collaborative effort between NERC, the Regional
Entities, and registered entities to identify and
implement changes that enhance the effectiveness
of the Compliance Monitoring and Enforcement
Program



Represents risk
-
based compliance monitoring


Focuses on risks to reliability


Enforcement will be reserved for significant matters


It is a customized compliance approach


Individualized scoping for each registered entity


Reduces administrative burdens and distractions

If the end state compliance monitoring and
enforcement program is effective* at providing
reasonable assurance through compliance
monitoring, appropriate deterrence through
enforcement and a feedback loop to
continuously improve reliability standards.


*resources expended to achieve and monitor compliance and
carry out enforcement are sufficient on the larger risk areas and
not necessarily over applied on the lower risk areas.

The four components of the RAI are:

1.
Assessing Reliability Risk

2.
Scoping Compliance Monitoring

3.
Processing Possible Violations in
Accordance with Risk

4.
Strengthening the Feedback Loop to the
Standards Development Process




Definition of risk to the BES


Instability, uncontrolled separation, or cascading failures


System
-
wide risks to the BES


Entity’s Risk to the BES


Inherent risk
is a function of registrations and other
relevant factors like system design, configuration, size,
etc.


Control risk

is a function of the entity’s internal controls
established to reduce risk of violation or system event.


These two components will be considered in determining
an entity’s risk profile or risk assessment.


Project currently underway to determine a regional approach
to develop a prototype for risk assessment.










Analysis of risk assists an entity to deploy
controls more effectively.


Review should focus on greatest threats to
reliability based on impact and likelihood of
occurrence.


Cost of a control should not exceed benefits.


Reliability Standards are dynamic and
methodology should be flexible enough to
adapt with changes.


There is no “one size fits all” model.


One size does not fit all!!!

Entity

BA

DP

LSE

TO

GO

GO
P

IA

PA

PSE

RC

RP

RS
G

TP

TO
P

TSP

Entity A
(Co
-
Op)

X

X

X

X

X

X

X

Entity B
(Gen)

X

X

Entity

C

X

X

X

X

X

X

X

X

X

X

X

X

Entity D

X

X

X

X

X

Entity E
(
SoCo
)

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Identify

Risks

Prioritize

Risks

Assess

Risks

Dev

Assmnt

Criteria

Assess

Risk

Interaction

Respond

To Risks

Assess Risks

AKA

Internal

Controls


What are risks to reliability of the bulk electric system?


Consider registered functions.


Review event analysis of the entity.


Review operational issues in the industry.


What keeps me up at night relative to reliability?


What are compliance risks for the Standards?


Are there stumbling blocks to compliance for the entity?


Review self
-
reports for the entity (are there problematic standards?).


Review frequently violated standards.


What keeps me up at night relative to compliance?


Risk Interactions


Interactions between other events/conditions that could increase risk.


How do risks rank relative to each other?


Formal method to calculate risk


Likelihood scale, impact scale


“Pin the tail on the donkey”








Control
Program


Control
Activities



Processes



P
ractices



P
olicies



Procedures

Outputs

Compliance with the
Reliability Standards

Inputs

Reliability
Functions




Systems



Approvals



Authorizations



Reviews

An entity’s
control activities

facilitate
compliance to the Reliability Standards



Information / Communication



Control Environment (Culture)



Risk Assessment



Monitoring

An internal control program helps provide a Registered Entity with
reasonable

assurance
of compliance with the requirements of the Standards.

11

CIP
-
002

CIP
-
003

CIP
-
004

CIP
-
005

CIP
-
006

CIP
-
007

CIP
-
008

CIP
-
009

Device Management

Change Management

& Testing

Recovery & Incident

Response

Access Control

Physical Security

Info. Classification

& Handling / Doc Control

Current


Standards Based

Future

-

Functions Based

693 Standards


Policies and procedures ensure management’s
directives are carried out.


Elements of controls work together and collectively
reduce risk of not achieving objectives.


Should not be considered discretely (defense in
depth).

Continuous Improvement Cycle





Control

Associated NERC standard (s)

Frequency

Detective Internal Controls*

Compliance
Program
Management
Controls

Self
-
Assessments prior to Self
-
Certification

All Standards

Annual

Targeted Compliance Site Assessments

All Standards

Annual

NYPA Internal Event Analysis Plan

NERC EA process, EOP
-
004



Operations, Maintenance, and Cyber Security Controls

Protection Control & Engr. (PC&E) Quarterly
work order review and compliance attestations

PRC
-
005, PRC
-
006, PRC
-
007, PRC
-
008, PRC
-
009, PRC
-
010, PRC
-
011,
PRC
-
015, PRC
-
017, PRC
-
018, PRC
-
021



PC&E peer review of Relay Operation Analysis

PRC
-
001, PRC
-
004



PC&E tracking Maintenance & Testing
Exceptions

PRC
-
005, PRC
-
006, PRC
-
007, PRC
-
008, PRC
-
009, PRC
-
010, PRC
-
011,
PRC
-
015, PRC
-
017, PRC
-
018, PRC
-
021



Operator logging review

COM
-
002, PRC
-
001, VAR
-
002, TOP
-
001, TOP
-
002, TOP
-
003, TOP
-
006



Incident Response Program

CIP
-
008

Ongoing

A ‘central’ logging mechanism and
transmission to a third party service for the
aggregation and analysis of security logs

CIP
-
007

Ongoing

Operator Shift turn
-
over compliance check lists

COM
-
002, PRC
-
001, VAR
-
002, TOP
-
001, TOP
-
002, TOP
-
003, , TOP
-
006



Internal Controls Analysis


Review existing processes, procedures and policies to
determine if they facilitate compliance with the Reliability
Standards


Conceptual White Papers


ERO & Industry Documents


RAI Q&A


Internal Controls Working Guide


Initial Phase Plan/Deliverables


Audit Handbook


ERO & Industry Collaborative Guides


Benefits & Impacts


Internal Control Library


RAI Pilots


MRO
-

ATC


RFC


PJM, PPL


SERC


integrating into audits


Self
-
Reporting Process Enhancement


Self
-
Report Guide


Mitigation Plan Guide


Violation
vs

Deficiency Pilots


FFT Enhancements


Regional Entity Triage Process





Controls Framework Documents


Committee of Sponsoring Organizations of the
Treadway

Commission (COSO): Internal Control
-

Integrated Framework


The Institute of Internal Auditors


International Professional
Practices Framework


Standard 2210


Engagement Objectives


Information Systems Audit and Control Association


Control
Objectives for Information and Related
Technology


Auditing Guidance Documents


American Institute of Certified Public Accountants


Professional
Standards, vol. 1


AU Section 314


United States Government Accounting Office
-

Government
Auditing Standards


Chapter 7


Reporting Standards for
Performance
Audits


NERC RAI Documents


http://www.nerc.com/pa/comp/Pages/Reliability
-
Assurance
-
Intiative.aspx



Questions