Embed Size (px)
Citation preview
Compliance
CMEP Technology Project Delivers Increased Efficiency and
Effectiveness through Streamlined Processes
Compliance Monitoring and Enforcement Program Quarterly
Report Available
Reliability Risk Management
Lessons Learned Posted
Webinar Resources Posted
Standards
Webinar Resources Posted
Upcoming Events
Regional Entity Events
Filings | Careers
Executive Management Spotlight – Tim Roxey NERC and its Grid Security Mission The November Board of Trustees meeting will be my last Board meeting because as you may already know, I am retiring from NERC after more than 40 years of service to the reliability and security of the bulk power system in North America. During my tenure at NERC, I have enjoyed a seat at the table where many of the Electric Reliability Organization’s greatest accomplishments were forged. I was part of the team that created the first set of mandatory and enforceable Critical Infrastructure Protection Reliability Standards for North America, creating a foundation for reliability that has gotten stronger with each new set of security standards. In 1999, NERC stood up the Electricity Sector Information Sharing and Analysis Center at the request of the Department of Energy. Having joined NERC in 2009, we steadily grew its capabilities, grew its staff from five to more than 28, and re-branded it as the Electricity Information Sharing and Analysis Center in 2015. I am proud to have helped the E-ISAC organization mature and grow its capabilities. Besides the essential contributions that our annual security conference, GridSecCon, and biennial security exercise, GridEx, make to cyber and physical security of our increasingly interdependent and shared infrastructure, the E-ISAC helps utilities protect their business networks through the Cybersecurity Risk Information Sharing Program and their operations networks through an ongoing pilot project with DOE that the E-ISAC expects to commercialize. Continued on page 2
Headlines Using NERC’s Improved Website Search Capability NERC Thanks Chairman McIntyre SERC Appoints New President and Chief Executive Officer Statement on FERC's October Open Meeting Grid Security Conference Focuses on Training, Tools and Resources
NERC News October 2018
Inside This Issue
NERC News | October 2018 2
Security Mission (cont’d) Perhaps most importantly, I leave NERC knowing that the E-ISAC is well on its way to implementation of its E-ISAC Long-Term Strategic Plan with the vision to become a world-class, trusted source of quality analysis and rapid sharing of electricity industry security information. Grid security in North America has benefited and will continue to benefit from NERC and its E-ISAC. Keep up the great work! Tim Roxey is vice president and chief
special operations officer. ■■■
Headlines Using NERC’s Improved Website Search Capability As part of our ongoing IT efforts to improve technology across the ERO Enterprise, NERC launched the first phase of its website improvement plan in 2017. NERC upgraded the NERC.com platform, which improves the site’s stability, and streamlined the backend processes, promoting more consistency across the website. One of our most important undertakings was improving the website’s “search” capability. The upgraded platform allows NERC to develop a more robust search function, which allows users to enter key words, date ranges and file types to fine-tune further searches — yielding results that are more relevant by allowing more in-depth filtering of files. This function was enacted in March. NERC’s project to enhance and improve the NERC website is ongoing with work on updating content, continuously improving search optimization and developing analytics to better meet the needs of users. We hope you have found this enhancement to be beneficial, and we look forward to more improvements to make NERC.com the place to go for reliability and security information. For more information on this or other IT projects on NERC.com, please contact Dee Humphries.
NERC Thanks Chairman McIntyre NERC thanks Chairman Kevin McIntyre for his leadership and strong support of reliability during his tenure as
chairman. “NERC has worked closely and productively with Chairman McIntyre, and I share his vision on many key challenges for reliability and opportunities for improving security practices," said Jim Robb, NERC president and CEO. “We appreciate his efforts for the reliability of the bulk power system and wish him all the best for a speedy recovery."
NERC looks forward to continuing our work with incoming Chairman Neil Chatterjee and the entire Commission on key priorities impacting grid reliability, including the changing resource mix, essential reliability services and security.
SERC Appoints New President and Chief Executive Officer SERC Reliability Corporation (SERC) announced the appointment of Jason Blake to the position president and chief executive officer, effective November 15, 2018. Since 2010, Blake has served as vice president and general counsel of ReliabilityFirst, a Federal Energy Regulatory Commission-approved Regional Entity responsible for ensuring the reliability of the bulk power system across the Great Lakes and Mid-Atlantic regions of the United States. SERC Announcement
Statement on FERC's October Open Meeting The Federal Energy Regulatory Commission took action on two items related to reliability at its open meeting on October 18.
FERC issued Order No. 850 approving new, forward-looking and objective-based Reliability Standards to address supply chain risk management on the North American bulk power system. Intended to augment current Critical Infrastructure Protection Standards to mitigate cyber supply chain security risks for grid-related cyber systems, the new Supply Chain Risk Management Standards require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.
In the order, FERC directs NERC to develop modifications that will include Electronic Access Control and Monitoring Systems associated with medium and high impact BES Cyber Systems within the scope of the supply
NERC News | October 2018 3
chain risk management Reliability Standards over the next 24 months. FERC also approved NERC's request for an 18-month implementation period, saying it was justified because longer time-horizon capital budgets and planning cycles may be necessary for the technical upgrades to meet the Reliability Standards' security objectives. The final rule takes effect 60 days after publication in the Federal Register.
FERC also issued an order approving the 2019 business plan and budget for NERC, its regional entities and the Western Interconnection Regional Advisory Body.
NERC staff will continue the work with FERC and stakeholders toward assuring the reliability of the North American bulk power system. FERC Press Release
Grid Security Conference Focuses on Training, Tools and Resources Partnership and collaboration were the focus of the eighth grid security conference, GridSecCon, which kicked off October 17 in Las Vegas. More than 520 security experts from across North America were in attendance for the two-day conference to share emerging trends, advancements and lessons learned related to the electric industry. The conference, hosted by the North American Electric Reliability Corporation and the Western Electricity Coordinating Council, focuses on protecting the grid through information sharing, education and collaboration with experts from industry; state, federal and Canadian partners; the vendor community; and international stakeholders. GridSecCon occurs each October to help promote National Cybersecurity Awareness Month, started by the Department of Homeland Security. “The reliability and security of the grid are intertwined as much as the grid is interconnected across national boundaries, making our partnerships even more important,” said Jim Robb, NERC’s president and chief executive officer, in his opening remarks. “As adversaries become more determined and capable, we must remain agile and vigilant. Collaboration like GridSecCon allows us to get in sync, remain engaged and continue learning from each other.”
The conference objectives included promoting reliability of the bulk power system through training and education; engaging in discussions related to security threats, vulnerabilities and lessons learned from industry and government leaders; and discussing security best practices focused on reliability, risk mitigation and threat awareness. “In recent years we have witnessed improvements with Regional Entities’ Critical Infrastructure Protection programs,” said Melanie Frye, WECC’s president and CEO. “However, we must stay ahead of the ever-present security threats by enlisting strategies and programs to help deter them, like this vital conference.” Other keynotes included:
Karen Evans, assistant secretary, Office of Cybersecurity, Energy Security and Emergency Response, Department of Energy
Bob Kolasky, director of National Risk Management Center, National Protection and Programs Directorate, Department of Homeland Security
Bill Fehrman, president and CEO, Berkshire Hathaway Energy
Prior to the start of the conference, a memorandum of understanding was signed by NERC, the European Energy ISAC and the Japan Electricity-ISAC to help ensure security of electric systems in Europe, Japan and North America, further enhancing information sharing and collaboration efforts. The Electric Reliability Organization Enterprise, which is comprised of NERC and the seven Regional Entities, is committed to working with stakeholders to assure the reliability and security of the North American bulk power system. “We cannot ensure reliability without also ensuring security,” Robb said. “GridSecCon is one way to highlight the training, tools and resources necessary to meet this
goal.” Full Announcement ■■■
NERC News | October 2018 4
Compliance CMEP Technology Project Delivers Increased Efficiency and Effectiveness through Streamlined Processes The ERO Enterprise’s Compliance Monitoring and Enforcement Program (CMEP) Technology Project was created to enhance the ERO Enterprise’s ability to share and analyze data that is crucial to the security and reliability of the grid. The project also solves a major hindrance to those efforts: processes and systems for monitoring compliance that differ across the industry, resulting in varying practices and consistency issues as well as an intensive amount of manual work required to maintain and share the information. The CMEP Technology Project employs a single platform to capture and share data, which will better align the business processes of the ERO Enterprise, improve documentation, sharing and analysis of compliance work activities and make CMEP activities more efficient and effective across the ERO Enterprise. This will radically improve consistency, cost management, productivity and effectiveness. The CMEP Technology Project team is 50 percent complete with its business process harmonization activities, as they work with regional subject matter experts to understand the current state processes across the ERO and align those processes into a common framework and user experience for the future. As a result of this process alignment work, all Regions and registered entities can expect to have standardized forms and interfaces as well as the below benefits in the new tool: Self-Reports and Self-Logging
Single, standardized form and embedded guidance for both Self-Reports and Self-Logs to drive a consistent registered entity experience;
Eliminated use of spreadsheets; and
Self-Log items submitted on-demand by entities.
Enforcement
Introduction of an “obligations” section of the record to capture and track settlement activities similar to mitigating activities; and
Incorporation of evidence into enforcement records and improving transparency within the system to largely eliminate the burden of this activity.
Mitigation
Similar tracking capabilities for Mitigation Plans and mitigating activities;
All mitigation will begin as mitigating activities by default, with the ability to escalate to a formal Mitigation Plan when necessary; and
Enhanced tracking and reporting capabilities will result in meaningful efficiency gains.
Self-Certifications
An established single self-cert process, removing the distinction between “guided” and “traditional” self-certs; and
Flexibility so that Regions can ask clarifying questions and request evidence at time of submission and anytime during the process.
Periodic Data Submittals
Day 1 implementation will focus on standards
where data is currently being submitted in
OATI’s Web Compliance and Data Management
System (webCDMS) and the Guidance
Compliance Information Tracking System (CITS);
and
Additional standards may be rolled into BWise
platform in the future.
There are several more compliance monitoring methods and compliance planning activities to be harmonized in Q1 2019. When fully implemented, the CMEP Technology Project will drastically improve efficiency and effectiveness and provide deep and broad views of reliability across the ERO Enterprise, leading to new insights into data-informed reliability risk management. The use of these aligned risk-management approaches across is essential the ERO’s mission of continued grid reliability. For more information on the CMEP Technology Project, please visit the project page on NERC’s website.
NERC News | October 2018 5
Compliance Monitoring and Enforcement Program Quarterly Report Available This report highlights key ERO Enterprise CMEP activities that occurred in Q3 2018 and provides information and statistics regarding those activities. In Q3 2018, CMEP activities throughout the ERO Enterprise reflected continuing implementation of a risk-based approach that has allowed the ERO Enterprise to focus resources on risks to the reliability of the bulk power system, entity-specific risks and serious risk noncompliance with Reliability Standards. NERC and the Regional Entities also collaborated on various compliance monitoring activities to identify lessons learned and provide additional insight and information to industry stakeholders. Most significantly, in Q3 2018, the ERO Enterprise focused on the continued alignment of core CMEP activities. In Q3 2018, the ERO Enterprise resolved three reported consistency issues through its ERO Enterprise Program Alignment Process. NERC did not identify any new issues in Q3 2018. In Q3 2018, NERC filed seven full Notices of Penalty (NOPs), one involving a vegetation contact and one involving a serious risk violation of the CIP Reliability Standards. Also in Q3 2018, the ERO Enterprise transitioned the entities registered in SPP RE over to the new Regional Entities. For more information about ERO CMEP activities, please refer to the full report posted as Item 5 in the Compliance Committee agenda package. ■■■
Reliability Risk Management Lessons Learned Posted NERC published two new Lessons Learned under the Event Analysis – Lessons Learned tab on NERC.com. The Networking Packet Broadcast Storms Lesson Learned examines an incident in which a second network cable was connected from a voice over internet protocol phone to a network switch lacking proper settings, and a packet broadcast storm prevented network communications from functioning. Supervisory control and data acquisition was lost for several hours. Broadcast storm events have also arisen from substation
local area network issues. This Lesson Learned is of primary interest to Balancing Authorities, Generator Operators, Reliability Coordinators, Transmission Operators and Transmission Owners that own and operate an Energy Management System. The Incorrect Field Modification and RAS Operation Lead to Partial System Collapse Lesson Learned examines an incident that occurred during an outage to isolate a 500 kV line disconnect switch and install a temporary bypass to facilitate its replacement. During the outage, field staff incorrectly modified the position of an auxiliary contact multiplier relay. This incorrect multiplier position enabled line stub bus protection, which misoperated due to the increase in flow despite there being no actual line fault. This incorrect multiplier position also prevented the remedial action scheme from operating as designed for the loss of the respective 500 kV circuit. The actuations resulted in separation of a large portion of the entity’s system, load losses, generator trips and islanding of a small pocket sustained by local generation. This Lesson Learned is of primary interest to Balancing Authorities, Reliability Coordinators, Transmission Operators, Transmission Owners, Generator Operators and Generator Owners. A successful Lessons Learned document clearly identifies the lesson, contains sufficient information to understand the issues, visibly identifies the difference between the actual outcome and the desired outcome and includes an accurate sequence of events, when it provides clarity.
Webinar Resources Posted NERC posted the streaming webinar and slide presentation for the September 6, 2018 Winter Preparation for Severe Cold Weather webinar. ■■■
Standards Webinar Resources Posted NERC posted the streaming webinar and slide presentation for the PRC-027-1 Requirement Training. NERC posted the streaming webinar and slide presentation of the October 16, 2018 Project 2018-02 –
NERC News | October 2018 6
Modifications to CIP-008 Cyber Security Incident Reporting webinar. NERC posted the streaming webinar and slide presentation of the October 23, 2018 Project 2018-01 – TPL-007-3 GMD Canadian Variance webinar. ■■■
Regional Entity Events
Midwest Reliability Organization (MRO)
MRO Qtr. 4 Security Advisory Council Meeting, November 8 | Register
MRO CMEP Conference, November 14 | Register
Protective Relay Subcommittee Meeting, November 27 | Register
MRO Annual Member and Board of Directors Meeting, November 29 | Register
Texas RE
Talk with Texas RE, November 29 | Register ■■■
Upcoming Events
Board of Trustees Committees, Members Representatives Committee, and Board of Trustees Meetings – November 6–7 Atlanta Meeting Registration and Hotel Information
Primary Frequency Response Webinar: Steam Generation – 10:00–11:30 a.m. Eastern, November 13 | Register
Primary Frequency Response Webinar: Natural Gas Combined Cycle/Simple Cycle – 2:00–3:30 p.m. Eastern, November 13 | Register
Compliance Monitoring and Enforcement Program Implementation Plan Webinar 1:00–2:00 p.m. Eastern, November 13| Register
Operating Committee, Planning Committee, and Critical Infrastructure Protection Committee Meetings – December 11–12 Atlanta | Register for OC | Register for PC Register for CIPC | Register for Hotel ■■■
Filings NERC Filings to FERC
October 1, 2018 Informational Filing Regarding Reliability Standard BAL-001-2 | NERC submits an informational filing regarding Reliability Standard BAL-001-2 (Real Power Balancing Control Performance), as directed by FERC in Order No. 810. October 12, 2018 Filing of NERC for Approval of Revisions to the Implementation Plans for Reliability Standards MOD-026-1 and MOD-027-1 | NERC submits a filing for approval of revisions to the implementation plans for Reliability Standards MOD-026-1 (Verification of Models and Data for Generator Excitation Control System or Plant Volt/Var Control Functions) and MOD-027-1 (Verification of Models and Data for Turbine/Governor and Load Control or Active Power/Frequency Control Functions). October 16, 2018 Petition of NERC for Approval of Proposed Revisions to Appendix 4E to the Rules or Procedure | NERC submits a petition for approval of proposed revisions to Appendix 4E Compliance and Certification Committee -- Hearing (CCCPP-004) and (CCCPP-006) -- Mediation Procedures. October 24, 2018 Comments of NERC in Support of Notice of Proposed Rulemaking NERC submits comments in support of the Federal Energy Regulatory Commission's ("Commission") Notice of Proposed Rulemaking to revision the Commission regulations at 18 CFR § 38.1(b) to remove the incorporation by reference of Wholesale Electric Quadrant WEQ-006 -- Time Error Correction Business Practice Standards as adopted by the North American Energy Standards Board.
NERC Filings in Canada
October 4, 2018 Informational Filing Regarding BAL-001-2 (Alberta) Notice of Filing of NERC of Proposed Reliability Standard CIP-012-1 (Alberta) | Attachments to CIP-012-1 Filing October 25, 2018 Revisions to Implementation Plans for Reliability Standards MOD-026-1 and MOD-027-1 (Alberta) Notice of Filing of NERC of Proposed Revisions to Appendix 4E to the
ROP (Alberta) | Attachments to Appendix 4E Filing ■■■
NERC News | October 2018 7
Careers at NERC Analyst Physical Security Location: Atlanta Details CIP Assurance Advisor Location: Atlanta Details Engineer/Advisor – Grid Planning and Operations Assurance Location: Atlanta Details Engineer Performance Analysis Location: Atlanta Details Cyber Analyst – Network Analyst Location: Washington, D.C. Details E-ISAC Watch Officer – Open Source Intelligence Location: Washington, D.C. Details ■■■
