wecc compliance outreach open webinar thursday, september 19, 2013 2:00 pm mt
TRANSCRIPT
WECC COMPLIANCE OUTREACH OPEN
WEBINAR
Thursday, September 19, 20132:00 pm MT
2
NERC Transition Guidance on CIP v.5 B. Castagnetto
FERC Approval of RoP Change – TFE update B. Carr
Confirming Scope During CMP Submittal K. Sarin
Registration Tool Taylor Allred
2014 Actively Monitored List K.
Israelsson
Agenda
Brent Castagnetto CBRM, CBRA, MABR
Manager, Cyber Security Audits & Investigations
CIP Version 5 Transition GuidanceSeptember 2013 Open-Webinar
September 19th 2013
4
• The WECC Cyber Security Audit Team will audit to Version 3 of the CIP Standards until such time as: o Version 4 becomes mandatory & enforceable
(10/1/14)o FERC provides remand of V4, or approves V5o NERC provides implementation plan
guidance on V3 – V5 transition There will be opportunity to begin preparing for V5
Mandatory and Enforceable = V3
5
• On April 18th 2013 FERC issued a NOPR proposing to approve CIP V5 o Some changes were requested & NERC has
responded
• On September 5th 2013 NERC provided revised guidance related to CIP Version 5o Transition Period is from 9/5/2013 to V5
mandatory and enforceable date (still unknown)
NERC Version 5 Transition Guidance
6
• On 7/18/2013, the “Trade Associations” filed a motion to delay the deadline for complying with V4.
• FERC granted a six month extension on V4 to 10/1/2014.
Version 4 / 5 Update
http://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20130812-3014
http://bit.ly/13ZFLWx
7
• “Prior to the date of mandatory enforcement of CIP Version 5, a Responsible Entity must continue to comply with the CIP Version 3 Standards (CIP-003-3 through CIP-009-3) during the Transition Period”o An entity may continue to maintain and apply its CIP-
002-3 RBAM during the transition period or it may choose one of two options to identify and document Critical Assets in lieu of maintaining a RBAM (R1) and applying (R2) its CIP-002-3 RBAM.
CIP Version 5 Transition Guidance
8
• On or after April 11th 2013, Registered Entities may choose: o Option 1. Utilize the CIP Version 4 bright-line
criteria in its entirety, with the exception of criterion 1.4 (Blackstart Resources) and criterion 1.5 (Cranking Paths), to identify assets subject to the controls in CIP-003-3 through CIP-009-3, or
CIP Version 5 Transition Guidance
9
• On or after September 5th 2013, Registered Entities may choose: o Option 2. Utilize the CIP Version 5 “High” and
“Medium” Impact Ratings (see CIP-002-5 -Attachment 1: IRC, pp. 14-16) to identify assets subject to the controls in CIP-003-3 through CIP-009-3
CIP Version 5 Transition Guidance
10
• Things to consider: o Entities choosing option 1 or 2 as a valid
Critical Asset Identification [CAID] methodology may decide to remove Critical Assets previously identified under a CIP-002-3 RBAM.
o CIP Versions 4 and 5 contain requirements for asset identification that permit certain third parties to designate an asset as critical (Reliability Coordinators, Transmission Planners, Planning Coordinators, or Planning Authorities)
CIP Version 5 Transition Guidance
11
• Things to consider: o If option 1 (V4) is selected, be aware of Bright-
Line Criteria 1.3, 1.8, 1.9, and 1.10
o If option 2 (V5) is selected, be aware of Impact Rating Criteria 2.3, 2.6 and 2.8
CIP Version 5 Transition Guidance
12
• After the application of one of the two options to identify and document a list of Critical Assets, the entity must use the list of Critical Assets and apply its current CIP-002-3 R3 Critical Cyber Asset Identification methodology [CCAID] to document a list of Critical Cyber Assets [CCAs] that are essential to the operation of the Critical Asset and meet one of the qualifying connectivity attributes (R3.1-R3.3).
• No change from the current CIP-002-3 R3 process
CIP-002-3 R3
13
• The CIP Senior Manager must also review and approve the list of Critical Assets and the list of Critical Cyber Assets, even if such lists are null, at least annually (R4).
• The only change to R4 is annual review and approval of the RBAM will not be required if the entity has chosen option 1 or 2.
CIP-002-3 R4
14
• Based on the results of the application of the chosen CAID methodology, and subsequent application of the CCAID methodology to the list of Critical Assets, if the entity identifies a list of CCAs, the entity must continue to comply with all of CIP-003-3 through CIP-009-3.
• If the list of CCAs is null, the entity must continue to comply with CIP-002-3 R1-R4 (with the changes identified above) and CIP-003-3 R2.
CIP-003-3 through CIP-009-3
15
• A Responsible Entity must identify the approach it is using for asset identification as part of its response to a pre-Compliance Audit Survey, a pre-Spot Check data request, or as otherwise requested pursuant to the Compliance Monitoring and Enforcement Program o WECC will request information surrounding your
approach in the audit / spot check notices in 2014o A good practice to meet this data request is to have
the CIP Senior Manager sign and date a statement declaring the entity’s choice of CAID methodology.
CIP Version 5 Transition Guidance
16
• Within the Transition Guidance Document there is reference to the CIP Version 5 Studyo The study will collect and evaluate data from
selected entities regarding implementation of CIP V5
o These results will be shared with industry upon completion of the study
CIP Version 5 Transition Guidance
17
• What is the purpose of Transition Implementation Study?o Determine compliance and enforcement
expectations for the Industry during the transition from v3 to v5
o Determine technical challenges or compliance issues that limit the effective compliance to the CIP standards
o Improve consistency, transparency and awareness of the newly approved CIP standards
CIP Version 5 Transition Guidance
18
CIP Version 5 Transition Timeline
19
• WECC will provide significant outreach beginning at the September CIP-101 and throughout 2014 on the CIP Version 5 audit approach. o Two Day outreach events will be held in various
locations around the western interconnection to facilitate in person attendance. February 5-6 & March 19-20 2014
o Open webinar and CIPUG events will be used to advise WECC entities
How will WECC Prepare for V5?
20
• References used in this presentation
o FERC Notice of Proposed Rulemaking (NOPR) on CIP Version 5 http://www.ferc.gov/whats-new/comm-meet/2013/041813/E-7.pdf
o Trade Associations Request http://bit.ly/13ZFLWx
o FERC Notice Granting Extension Of Time http://elibrary.ferc.gov/idmws/file_list.asp?accession_num=20130812-3014
o NERC V5 Transition Guidance http://www.nerc.com/pa/comp/Resources/ResourcesDL
/Cyber%20Security%20Standards%20Transition%20Guidance%20(Revised).pdf
References
21
Dr. Joe Baugh
(M) 520.331.6351
(O) 360.567.4061
Bryan Carr
(O) 801-819-7691
(M) 801-837-8425
WECC CIP-002 Subject Matter Experts
Brent Castagnetto CBRM, CBRA, MABR
Manager, Cyber Security Audits & Investigations
O: 801.819.7627
M: 801.597.7957
Questions?
Bryan Carr PMP, CISA
Compliance Auditor – Cyber Security
TFE Update – Revised Appendix 4DSeptember 2013 Open Webinar
September 19, 2013
24
• FERC Docket No. RR13-3-000 – Sep. 3, 2013o Order approving proposed revisions to Appendix 4D
of the NERC Rules of Procedureo Two items require response from NERC
Timing of submitting Material Change Reports Annual reports to FERC
o Industry comments on changes due Oct. 31, 2013 Detailed Summary of Proposed Revisions Redline Version of Appendix 4D
FERC Approved Appendix 4D
25
• Changes required to accommodate the revised process:o WebCDMS fields, workflow, and other
processeso How you track, manage, and update TFEs and
their associated Cyber Assets
Who moved my cheese?
26
• Read, re-read, and then read again revised Appendix 4D
• Until updates to webCDMS and other processes are complete, prepare to track TFEs and associated devices in spreadsheet or database
• WECC continues to work with NERC and will work with you during this transition process
• CIPUG Anaheim October 24, 2013 – presentation with additional details
TFEs – Interim Steps
27
• FERC Order:http://www.ferc.gov/CalendarFiles/20130903162133-RR13-3-000.pdf
• NERC Documents:http://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/Draft_ROP_Compliance_Filing_Redline_Appendix_4D_09162013.pdf
http://www.nerc.com/FilingsOrders/us/NERC%20Filings%20to%20FERC%20DL/NERCPetApproveRevApp4D4-8-2013.pdf
• WECC Presentations:http://www.wecc.biz/compmtg/01282013/Lists/Presentations/1/1%2030%2013%20TFEUpdate_BC_CIPUG_Mesa.pdf
http://www.wecc.biz/20121015/Lists/Minutes/1/2012%2010%2017%20Castagnetto%20CIPUG%20TFE_BC.pdf
For More Information…
Bryan Carr PMP, CISA
Compliance Auditor – Cyber Security
Western Electricity Coordinating Council
155 N 400 W, Suite 200
Salt Lake City, UT 84103
801-819-7691
Questions?
Keshav SarinManager, Enforcement O&P and CIP
Confirming Scope during CMP submittalSeptember 19, 2013
30
• Completed Mitigation Plan
• Includes evidence that all actions identified in the Mitigation Plan were completed
What’s a CMP?
31
• We always ensure the complete scope of a violation has been identified
o Violation Review
o Mitigation Plan Review
Confirming Violation Scope
31
32
• During CMP submittal, please include a brief statement that the scope of the violation has not changed.
o E.g. The scope of this violation has not changed since the mitigation plan was accepted by WECC
What’s New?
32
Taylor AllredAssociate Compliance Process
Analyst
Registration Tracking SystemSeptember 19, 2013
Compliance Open Webinar
35
• Benefits of the Registration Tracking Systemo Detailed registration form and document uploado Reduce process cycle timeo Eliminate repetitive data entryo Provide automated communications to
registrants helping to improve customer service
Registration Tracking System
36
• Types of Registration Requests submitted through the new Registration Formo New Registrationso Functional Change Registrationso Transfer of Assets o Foot Print Changeso Deactivationso Legal Name Changes
Types of Registration Requests
37
http://www.wecc.biz/compliance/United_States/Pages/EntityRegistration.aspx
Where is the WECC Registration Web Page?
38
Where is the New Form Located?
39
Registration Request Web Page
40
You will Need a WECC Website Account to Access the Registration Form
41
Registration Tracking System Implementation Timeline
Date Description Location
October 23, 2013 Registration Tool Overview
CUG
October 29, 2013 2:00 PM (MDT)
Registration User Training
Webinar
November 1, 2013 All Registration Requests are required to be submitted via the new form
N/A
Taylor Allred
Associate Compliance Process Analyst
801-819-7635
Questions?
Kim IsraelssonLead Compliance Data Analyst
2014 Actively Monitored ListSeptember 19, 2013
Laura Scholl
Managing Director of Stakeholder Outreach
Questions?