Agenda Board of Directors Compliance Committee of Directors Library...2018/08/29 · DRAFT Minutes Board of Directors • Compliance Committee May 23, 2018 • Cleveland, OH ReliabilityFirst

Agenda Board of Directors • Compliance Committee August 29, 2018 • 1:00 PM – 3:00 PM (ET)

ReliabilityFirst Corporation 3 Summit Park Drive, Suite 600 • Cleveland, OH 44131 Room: 5th Floor Conference Center Attire: Business Casual

Open Agenda

1. Call to Order and Appoint Secretary to Record MinutesPresenter: Brenton Greene, Chair

2. Antitrust StatementPresenter: Brenton Greene, Chair

3. Approve Compliance Committee Meeting MinutesPresenter: Brenton Greene, Chair Reference: Draft Minutes for the May 23, 2018 Compliance Committee Meeting Action: Approve Minutes

4. Overview of Registry and IRA ProgressPresenter: Tony Jablonski

Description: Mr. Jablonski will provide an overview of the ReliabilityFirst Registry and discuss progress made on completing Inherent Risk Assessments for all ReliabilityFirst Registered Entities.

Reference: Presentation Action: Information and Discussion

5. Culture of Security

Presenter: Kevin Ball and Joseph Robinson, DTE Energy Description: DTE Energy will discuss its efforts to develop and foster a culture of

security across its entire organization. Reference: Presentation *to be provided upon receipt Action: Information and Discussion

6. Violation TrendsPresenter: Kristen Senk Description: Ms. Senk will provide an update on current activity in the CIP and

Operations and Planning Reliability Standards context. She will also discuss ReliabilityFirst’s efforts to better understand and perform appropriate outreach to help address identified causes.

Compliance Committee • Agenda

August 29, 2018

2

Reference: Presentation Action: Information and Discussion

7. FERC Order Expanding Cyber Security ReportingPresenter: Matt Thomas Description: Mr. Thomas will provide an overview of the recent FERC Order 848

expanding cyber security incident reporting. Reference: Presentation Action: Information and Discussion

8. Next MeetingNovember 28, 2018 • Washington, DC

Closed Agenda

9. Confidential Compliance and Enforcement MattersPresenter: Description: Reference: Action:

Jeff Craigo and Jason Blake Mr. Craigo and Mr. Blake will present confidential matters. Confidential Documents Information and Discussion

10. Adjourn

Roster • Compliance Committee

Brenton Greene, Chair • Independent (2019) Larry Irving, Vice Chair • Independent (2018) Ken Capps • At-Large (2019) Patrick Cass, • Independent (2020) Michael Bryson • RTO (2018)

Draft Minutes for the May 23, 2018 Compliance

Committee Meeting

Separator Page

DRAFT Minutes Board of Directors • Compliance Committee May 23, 2018 • Cleveland, OH

ReliabilityFirst Corporation 3 Summit Park Drive • Cleveland, OH 44131

Open Session

Call to Order – Chair Brenton Greene called to order a duly noticed open meeting of the Compliance Committee on May 23, 2018, 2018 at 1:00 pm (ET). A quorum was present, consisting of the following members of the Compliance Committee: Brenton Greene, Chair; Larry Irving, Vice Chair; Michael Bryson; Ken Capps; and Patrick Cass. A list of others present during the Compliance Committee meeting is set forth in Attachment A. Appoint Secretary to Record Minutes – Chair Greene designated Megan Gambrel as the secretary to record the meeting minutes. Antitrust Statement – Chair Greene advised all present that this meeting is subject to, and all attendees must adhere to, ReliabilityFirst’s Antitrust Compliance Guidelines. Approve Compliance Committee Meeting Minutes – Chair Greene presented draft minutes for the March 14, 2018 Compliance Committee meeting, which were included with the agenda package. Upon a motion duly made and seconded, the Compliance Committee approved the minutes as presented. PJM CIP Security Segmentation – Bryon Koskela and Steve McElwee from PJM Interconnection, LLC (PJM) provided an overview of PJM’s network segmentation project to continuously improve the security and compliance of its operations. They discussed the drivers for the project and PJM’s process for selecting a vendor. Mr. Koskela and Mr. McElwee then provided an overview of how network segmentation works, and how it can help mitigate various risks facing entities, including malware, delayed patching, insider threats, and vulnerabilities from legacy systems.

2017 RF Regional Risk Assessment – Ray Sefchik provided an overview and led a discussion on the 2017 ReliabilityFirst Regional Risk Assessment (RRA) and the RRA process. He explained how the RRA provides an overview of the inherent, emerging, and identified risks in ReliabilityFirst’s footprint, and informs ReliabilityFirst’s risk-based activities and communications. Mr. Sefchik discussed the key risks identified in the 2017 RRA, which include Critical Infrastructure Protection (CIP); protection systems; monitoring and situational awareness; supply chain risk management; planning and system analysis;

Compliance Committee Minutes May 23, 2018

2

and human performance. He also discussed emerging risks such as fuel diversity impacts and the aging workforce. The Compliance Committee also discussed the creation of the internal RRA report, and encouraged staff to consider how to create a sanitized version of the report that can be shared with entities. Implementation of the ERO CMEP Tool – Tony Jablonski provided an overview of the implementation of the ERO Compliance Monitoring and Enforcement Program tool (CMEP Tool). He discussed the objectives of the CMEP Tool, which include increasing efficiencies through collaboration tools; ensuring consistency in practices and data gathering; and reducing the combined NERC and Regional Entity IT capital investments. Mr. Jablonski outlined the functions of the CMEP tool, and the areas it will support (e.g., enforcement processing, data submittals). He discussed ReliabilityFirst staff’s involvement in the CMEP Tool project, and the milestones and timeline for the project.

Mr. Jablonski then discussed challenges and considerations associated with the project, including compromises and consensus needed to harmonize business processes; ensuing timely execution; and data conversion from legacy systems.

Hearing Update – Patrick O’Connor provided an update on proposed revisions to the NERC Rules of Procedure’s hearing process, which include an option to move the hearing process from the Regions to NERC. Mr. O’Connor explained that the goals of the proposed revisions are to streamline costs and promote efficiency; enhance consistency; and eliminate ex parte concerns. He stated that the proposed revisions are pending approval with FERC. Following FERC approval, staff will seek the Compliance Committee’s endorsement of the revisions for approval by the Board. The Compliance Committee also discussed NERC and the Regions’ process to identify and select potential hearing officers. Next Meeting – Chair Greene noted that the next Compliance Committee meeting will occur on August 29, 2018, in Cleveland, Ohio. At 2:36 pm, Chair Greene moved the Compliance Committee into closed session. All guests recused themselves at this time.

Closed Session

Confidential Compliance & Enforcement Matters – Jeff Craigo and Jason Blake led a discussion on confidential Compliance and Enforcement matters.

Adjourn – Upon a motion duly made and seconded, Chair Greene adjourned the Compliance Committee meeting at 3:08 pm (ET).


3

As approved on this __ day of August, 2018, by the Compliance Committee,

Jason Blake Vice President General Counsel & Corporate Secretary


4

Attachment A

Others Present During the Compliance Committee Meeting Lisa Barton • American Electric Power Charlie Berardesco • NERC Jason Blake • ReliabilityFirst, Vice President, General Counsel & Corporate Secretary Larry Bugh • ReliabilityFirst Jeff Craigo • ReliabilityFirst Rob Eckenrod • PJM Scott Etnoyer • Talen Energy Tim Gallagher • ReliabilityFirst, President & CEO Michael Gildea • FERC Megan Gambrel • ReliabilityFirst Tony Jablonski • ReliabilityFirst Bryon Koskela • PJM Deandra Williams-Lewis • ReliabilityFirst Jeff Mitchell • ReliabilityFirst Lou Oberski • Dominion Ray Palmieri • ReliabilityFirst, Senior Vice President Patrick O’Connor • ReliabilityFirst Matt Paul • DTE Energy Joe Robinson • DTE Energy Ray Sefchik • ReliabilityFirst Kristen Senk • ReliabilityFirst Susan Sosbe • Wabash Valley Power Association Lori Spence • MISO Eric Stephens • MISO Jennifer Sterling • Exelon Jody Tortora • ReliabilityFirst Jim Uhrin • ReliabilityFirst Lynnae Wilson • Vectren

Presentation

Separator Page

Overview of Registry and IRA Progress

Anthony Jablonski – Manager, Risk Analysis & Mitigation

August 29, 2018

Cleveland, OH

Forward Together • ReliabilityFirst

Topics

Overview of RF Registration

Inherent Risk Assessment Progress

Questions

2


Overview of RF Registration

3

0

20

40

60

80

100

120

140

160

180

Functions

RF Functions

GOP GO DP TO TOP RP TP BA TSP PA/PC RC RSG

0 50 100 150 200 250 300 350 400

FRCC

MRO

SERC

NPCC

TRE

RF

WECC

RF , 236

NERC Compiance Registry (NCR)


Overview – Inherent Risk Assessment Progress

4

0

20

40

60

80

100

120

140

160

180

Complete No IRA New Entities asof 12/18/17

Comprehensive IRA Plan

0

10

20

30

40

50

Status

Comprehensive IRA Progress

Comprehensive IRA Completed In progress

• Collect Entity Information

(Entity Profile Questionnaire

Tool)

• Analyze 18 ERO Risk

Factors

• Create External IRA Report


Questions & Answers

Forward Together ReliabilityFirst

5

Presentation

Separator Page

Enforcement

Update and Observations

Kristen Senk, Managing Enforcement Counsel

August 29, 2018

Cleveland, OH


Violation Intake

2

45

127 117

173155

192

105

69 64

111126

72

0 7

58

274

357 359

560

288

179197

377

222

0

100

200

300

400

500

600

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

No. 693Violations

No. CIPViolations

• Volume increase since CIP version 5 - 500 violations in past 12 months

• RF has processed 380 violations in past 12 months

• Detective controls remain strong - 95% submitted through Self-Reports/Self-Logs

• Majority are lesser-risk issues


CIP Activity

3

Focus Areas

• Change Management (CIP-010)

• Patch Management (CIP-007)

Causes and Themes

• Insufficient asset and configuration management and

workforce management

• Organizational Silos and Lack of Awareness

(Vigilance)

Risk

• Mostly minimal risk (self-identified, short duration,

narrow scope)

• Higher risk (ineffective detective/preventative

controls)

62

62

25

18

1612

2018 CIP Violations

CIP-007 CIP-010 CIP-004 CIP-011 CIP-006 CIP-005


Operations and Planning Activity

Focus Areas

• Protection System Maintenance and Testing

(PRC-005)

• Facility Ratings (FAC-008/FAC-009)

Causes and Themes

• Insufficient asset and configuration

management and verification

• Organizational Silos

Risk

• Minimal risk (self-identified, short duration,

narrow scope)

• Higher risk (inaccurate understanding of

number, configuration, and location of assets)

4

20

1715

16

19

5

8

56

3

2014 2015 2016 2017 2018

PRC-005 and FAC-008/FAC-009 Violations

PRC-005 FAC-008/FAC-009


ERO Enterprise - Vegetation Management Violations

5


Understand and Communicate

Understand

• Root Cause Analysis

• Determine Best Practices

• Partner with Entities experiencing challenges

• Collaborate with Regional partners and NERC

Outreach

• RF Workshops (Entity Panels)

• Lessons Learned (Newsletter Articles, Webinars)

• Entity Dashboards and Transparency

• Assist Visits

6


Questions & Answers


Presentation

Separator Page

FERC Order 848

Cyber Security Incident Reporting

Matt Thomas, Manager, CIP Compliance Monitoring

August 29, 2018

Cleveland, OH


Cyber Security Incident Reporting

December 2017: FERC Notice of Proposed Rulemaking (NOPR)• Proposed to direct NERC to modify standards to improve and expand the mandatory reporting of

cybersecurity incidents.

July 2018: FERC Order 848• Final Rule directed NERC to develop and submit modifications to CIP Standards

2


Current Cyber Incident Reporting

CIP-008-5

• Only required if incident has compromised or disrupted one or more reliability tasks

• Cyber Security Incident vs Reportable Cyber Security Incident

• FERC believes it may understate the true scope of cyber-related threats

‒ 0 reportable incidents from January 2015 thru July 2018

EOP-004-3 and DOE-OE-417

Voluntary Sharing with E-ISAC

• Entities can voluntarily share incident information with the E-ISAC

CRISP – Cyber Security Risk Information Sharing Program

3


FERC Order 848 – Four Elements

1. Expanding required reporting of Cyber Security Incidents

2. Requiring specific information to be reported

3. Setting filing deadlines for reports

4. Specifying who reports should go to

4


Enhanced Reporting

To improve awareness of existing and future cyber security threats

5


Questions & Answers


Confidential Documents

Separator Page