Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Agenda Board of Directors • Compliance Committee August 29, 2018 • 1:00 PM – 3:00 PM (ET)
ReliabilityFirst Corporation 3 Summit Park Drive, Suite 600 • Cleveland, OH 44131 Room: 5th Floor Conference Center Attire: Business Casual
Open Agenda
1. Call to Order and Appoint Secretary to Record MinutesPresenter: Brenton Greene, Chair
2. Antitrust StatementPresenter: Brenton Greene, Chair
3. Approve Compliance Committee Meeting MinutesPresenter: Brenton Greene, Chair Reference: Draft Minutes for the May 23, 2018 Compliance Committee Meeting Action: Approve Minutes
4. Overview of Registry and IRA ProgressPresenter: Tony Jablonski
Description: Mr. Jablonski will provide an overview of the ReliabilityFirst Registry and discuss progress made on completing Inherent Risk Assessments for all ReliabilityFirst Registered Entities.
Reference: Presentation Action: Information and Discussion
5. Culture of Security
Presenter: Kevin Ball and Joseph Robinson, DTE Energy Description: DTE Energy will discuss its efforts to develop and foster a culture of
security across its entire organization. Reference: Presentation *to be provided upon receipt Action: Information and Discussion
6. Violation TrendsPresenter: Kristen Senk Description: Ms. Senk will provide an update on current activity in the CIP and
Operations and Planning Reliability Standards context. She will also discuss ReliabilityFirst’s efforts to better understand and perform appropriate outreach to help address identified causes.
Compliance Committee • Agenda
August 29, 2018
2
Reference: Presentation Action: Information and Discussion
7. FERC Order Expanding Cyber Security ReportingPresenter: Matt Thomas Description: Mr. Thomas will provide an overview of the recent FERC Order 848
expanding cyber security incident reporting. Reference: Presentation Action: Information and Discussion
8. Next MeetingNovember 28, 2018 • Washington, DC
Closed Agenda
9. Confidential Compliance and Enforcement MattersPresenter: Description: Reference: Action:
Jeff Craigo and Jason Blake Mr. Craigo and Mr. Blake will present confidential matters. Confidential Documents Information and Discussion
10. Adjourn
Roster • Compliance Committee
Brenton Greene, Chair • Independent (2019) Larry Irving, Vice Chair • Independent (2018) Ken Capps • At-Large (2019) Patrick Cass, • Independent (2020) Michael Bryson • RTO (2018)
Draft Minutes for the May 23, 2018 Compliance
Committee Meeting
Separator Page
DRAFT Minutes Board of Directors • Compliance Committee May 23, 2018 • Cleveland, OH
ReliabilityFirst Corporation 3 Summit Park Drive • Cleveland, OH 44131
Open Session
Call to Order – Chair Brenton Greene called to order a duly noticed open meeting of the Compliance Committee on May 23, 2018, 2018 at 1:00 pm (ET). A quorum was present, consisting of the following members of the Compliance Committee: Brenton Greene, Chair; Larry Irving, Vice Chair; Michael Bryson; Ken Capps; and Patrick Cass. A list of others present during the Compliance Committee meeting is set forth in Attachment A. Appoint Secretary to Record Minutes – Chair Greene designated Megan Gambrel as the secretary to record the meeting minutes. Antitrust Statement – Chair Greene advised all present that this meeting is subject to, and all attendees must adhere to, ReliabilityFirst’s Antitrust Compliance Guidelines. Approve Compliance Committee Meeting Minutes – Chair Greene presented draft minutes for the March 14, 2018 Compliance Committee meeting, which were included with the agenda package. Upon a motion duly made and seconded, the Compliance Committee approved the minutes as presented. PJM CIP Security Segmentation – Bryon Koskela and Steve McElwee from PJM Interconnection, LLC (PJM) provided an overview of PJM’s network segmentation project to continuously improve the security and compliance of its operations. They discussed the drivers for the project and PJM’s process for selecting a vendor. Mr. Koskela and Mr. McElwee then provided an overview of how network segmentation works, and how it can help mitigate various risks facing entities, including malware, delayed patching, insider threats, and vulnerabilities from legacy systems.
2017 RF Regional Risk Assessment – Ray Sefchik provided an overview and led a discussion on the 2017 ReliabilityFirst Regional Risk Assessment (RRA) and the RRA process. He explained how the RRA provides an overview of the inherent, emerging, and identified risks in ReliabilityFirst’s footprint, and informs ReliabilityFirst’s risk-based activities and communications. Mr. Sefchik discussed the key risks identified in the 2017 RRA, which include Critical Infrastructure Protection (CIP); protection systems; monitoring and situational awareness; supply chain risk management; planning and system analysis;
Compliance Committee Minutes May 23, 2018
2
and human performance. He also discussed emerging risks such as fuel diversity impacts and the aging workforce. The Compliance Committee also discussed the creation of the internal RRA report, and encouraged staff to consider how to create a sanitized version of the report that can be shared with entities. Implementation of the ERO CMEP Tool – Tony Jablonski provided an overview of the implementation of the ERO Compliance Monitoring and Enforcement Program tool (CMEP Tool). He discussed the objectives of the CMEP Tool, which include increasing efficiencies through collaboration tools; ensuring consistency in practices and data gathering; and reducing the combined NERC and Regional Entity IT capital investments. Mr. Jablonski outlined the functions of the CMEP tool, and the areas it will support (e.g., enforcement processing, data submittals). He discussed ReliabilityFirst staff’s involvement in the CMEP Tool project, and the milestones and timeline for the project.
Mr. Jablonski then discussed challenges and considerations associated with the project, including compromises and consensus needed to harmonize business processes; ensuing timely execution; and data conversion from legacy systems.
Hearing Update – Patrick O’Connor provided an update on proposed revisions to the NERC Rules of Procedure’s hearing process, which include an option to move the hearing process from the Regions to NERC. Mr. O’Connor explained that the goals of the proposed revisions are to streamline costs and promote efficiency; enhance consistency; and eliminate ex parte concerns. He stated that the proposed revisions are pending approval with FERC. Following FERC approval, staff will seek the Compliance Committee’s endorsement of the revisions for approval by the Board. The Compliance Committee also discussed NERC and the Regions’ process to identify and select potential hearing officers. Next Meeting – Chair Greene noted that the next Compliance Committee meeting will occur on August 29, 2018, in Cleveland, Ohio. At 2:36 pm, Chair Greene moved the Compliance Committee into closed session. All guests recused themselves at this time.
Closed Session
Confidential Compliance & Enforcement Matters – Jeff Craigo and Jason Blake led a discussion on confidential Compliance and Enforcement matters.
Adjourn – Upon a motion duly made and seconded, Chair Greene adjourned the Compliance Committee meeting at 3:08 pm (ET).
Compliance Committee Minutes May 23, 2018
3
As approved on this __ day of August, 2018, by the Compliance Committee,
Jason Blake Vice President General Counsel & Corporate Secretary
Compliance Committee Minutes May 23, 2018
4
Attachment A
Others Present During the Compliance Committee Meeting Lisa Barton • American Electric Power Charlie Berardesco • NERC Jason Blake • ReliabilityFirst, Vice President, General Counsel & Corporate Secretary Larry Bugh • ReliabilityFirst Jeff Craigo • ReliabilityFirst Rob Eckenrod • PJM Scott Etnoyer • Talen Energy Tim Gallagher • ReliabilityFirst, President & CEO Michael Gildea • FERC Megan Gambrel • ReliabilityFirst Tony Jablonski • ReliabilityFirst Bryon Koskela • PJM Deandra Williams-Lewis • ReliabilityFirst Jeff Mitchell • ReliabilityFirst Lou Oberski • Dominion Ray Palmieri • ReliabilityFirst, Senior Vice President Patrick O’Connor • ReliabilityFirst Matt Paul • DTE Energy Joe Robinson • DTE Energy Ray Sefchik • ReliabilityFirst Kristen Senk • ReliabilityFirst Susan Sosbe • Wabash Valley Power Association Lori Spence • MISO Eric Stephens • MISO Jennifer Sterling • Exelon Jody Tortora • ReliabilityFirst Jim Uhrin • ReliabilityFirst Lynnae Wilson • Vectren
Presentation
Separator Page
Overview of Registry and IRA Progress
Anthony Jablonski – Manager, Risk Analysis & Mitigation
August 29, 2018
Cleveland, OH
Forward Together • ReliabilityFirst
Topics
Overview of RF Registration
Inherent Risk Assessment Progress
Questions
2
Forward Together • ReliabilityFirst
Overview of RF Registration
3
0
20
40
60
80
100
120
140
160
180
Functions
RF Functions
GOP GO DP TO TOP RP TP BA TSP PA/PC RC RSG
0 50 100 150 200 250 300 350 400
FRCC
MRO
SERC
NPCC
TRE
RF
WECC
RF , 236
NERC Compiance Registry (NCR)
Forward Together • ReliabilityFirst
Overview – Inherent Risk Assessment Progress
4
0
20
40
60
80
100
120
140
160
180
Complete No IRA New Entities asof 12/18/17
Comprehensive IRA Plan
0
10
20
30
40
50
Status
Comprehensive IRA Progress
Comprehensive IRA Completed In progress
• Collect Entity Information
(Entity Profile Questionnaire
Tool)
• Analyze 18 ERO Risk
Factors
• Create External IRA Report
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
5
Presentation
Separator Page
Enforcement
Update and Observations
Kristen Senk, Managing Enforcement Counsel
August 29, 2018
Cleveland, OH
Forward Together • ReliabilityFirst
Violation Intake
2
45
127 117
173155
192
105
69 64
111126
72
0 7
58
274
357 359
560
288
179197
377
222
0
100
200
300
400
500
600
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
No. 693Violations
No. CIPViolations
• Volume increase since CIP version 5 - 500 violations in past 12 months
• RF has processed 380 violations in past 12 months
• Detective controls remain strong - 95% submitted through Self-Reports/Self-Logs
• Majority are lesser-risk issues
Forward Together • ReliabilityFirst
CIP Activity
3
Focus Areas
• Change Management (CIP-010)
• Patch Management (CIP-007)
Causes and Themes
• Insufficient asset and configuration management and
workforce management
• Organizational Silos and Lack of Awareness
(Vigilance)
Risk
• Mostly minimal risk (self-identified, short duration,
narrow scope)
• Higher risk (ineffective detective/preventative
controls)
62
62
25
18
1612
2018 CIP Violations
CIP-007 CIP-010 CIP-004 CIP-011 CIP-006 CIP-005
Forward Together • ReliabilityFirst
Operations and Planning Activity
Focus Areas
• Protection System Maintenance and Testing
(PRC-005)
• Facility Ratings (FAC-008/FAC-009)
Causes and Themes
• Insufficient asset and configuration
management and verification
• Organizational Silos
Risk
• Minimal risk (self-identified, short duration,
narrow scope)
• Higher risk (inaccurate understanding of
number, configuration, and location of assets)
4
20
1715
16
19
5
8
56
3
2014 2015 2016 2017 2018
PRC-005 and FAC-008/FAC-009 Violations
PRC-005 FAC-008/FAC-009
Forward Together • ReliabilityFirst
ERO Enterprise - Vegetation Management Violations
5
Forward Together • ReliabilityFirst
Understand and Communicate
Understand
• Root Cause Analysis
• Determine Best Practices
• Partner with Entities experiencing challenges
• Collaborate with Regional partners and NERC
Outreach
• RF Workshops (Entity Panels)
• Lessons Learned (Newsletter Articles, Webinars)
• Entity Dashboards and Transparency
• Assist Visits
6
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
Presentation
Separator Page
FERC Order 848
Cyber Security Incident Reporting
Matt Thomas, Manager, CIP Compliance Monitoring
August 29, 2018
Cleveland, OH
Forward Together • ReliabilityFirst
Cyber Security Incident Reporting
December 2017: FERC Notice of Proposed Rulemaking (NOPR)• Proposed to direct NERC to modify standards to improve and expand the mandatory reporting of
cybersecurity incidents.
July 2018: FERC Order 848• Final Rule directed NERC to develop and submit modifications to CIP Standards
2
Forward Together • ReliabilityFirst
Current Cyber Incident Reporting
CIP-008-5
• Only required if incident has compromised or disrupted one or more reliability tasks
• Cyber Security Incident vs Reportable Cyber Security Incident
• FERC believes it may understate the true scope of cyber-related threats
‒ 0 reportable incidents from January 2015 thru July 2018
EOP-004-3 and DOE-OE-417
Voluntary Sharing with E-ISAC
• Entities can voluntarily share incident information with the E-ISAC
CRISP – Cyber Security Risk Information Sharing Program
3
Forward Together • ReliabilityFirst
FERC Order 848 – Four Elements
1. Expanding required reporting of Cyber Security Incidents
2. Requiring specific information to be reported
3. Setting filing deadlines for reports
4. Specifying who reports should go to
4
Forward Together • ReliabilityFirst
Enhanced Reporting
To improve awareness of existing and future cyber security threats
5
Forward Together • ReliabilityFirst
Questions & Answers
Forward Together ReliabilityFirst
Confidential Documents
Separator Page