Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan

Transcription

1 Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan This Appendix contains the CMEP Implementation Plan (IP) for WECC as required by the NERC Rules of Procedure. 1. Compliance Monitoring and Enforcement 1.1 CMEP IP Highlights and Material Changes Enhanced Regional Coordination In 2014, WECC coordinated enforcement activities for some registered entities across multiple regions. In addition, WECC continued to identify registered entities that could qualify for coordinated compliance and enforcement activities under a forthcoming Multi-Regional registered entity (MRRE) Process. WECC plans to work with NERC and the other Regions in 2015 to implement the MRRE Process as appropriate. Departmental Reorganization: Enforcement and Compliance Risk Analysis In 2014, the WECC Compliance Department restructured to more appropriately allocate resources to prepare to implement the Reliability Assurance Initiative (RAI) in Subject matter experts previously working within the WECC Enforcement Team moved to the newly created Compliance Risk Analysis functional group. The Compliance Risk Analysis Group will continue to focus on conducting reviews and technical assessments of all self-identified violations and mitigation plans. In addition, this group will focus on Inherent Risk Assessments (IRAs) and Internal Controls Evaluations (ICEs) as part of the RAI. Strengthened Settlement Process During 2014, WECC continued to leverage information gained from risk analysis, lessons learned, best practices, and other information to enhance monitoring and enforcement activities. For example, in negotiating settlement agreements disposing of violations, WECC may propose reliability-focused terms aimed at improving reliability, culture of compliance, internal controls, and internal compliance programs. Most settlements reached in 2014 included such reliability-focused activities. In addition, WECC began sharing best practices and lessons learned on its Compliance website during 2014 and will continue to expand this information in Other Regional Key Initiatives & Activities During 2015, WECC will implement the ERO s risk-based approach to compliance monitoring in conducting CMEP-related activities. WECC will phase in implementation of IRA and ICE activities to help determine the best use of its resources and understand that WECC s processes will evolve throughout the year. Risk-based Framework for Off-site Audits In 2015, WECC will implement the ERO Risk-based Compliance Oversight Framework, as described in the ERO CMEP IP, for conducting off-site audits for certain registered entities, different from the annual one-size-fitsall formal off-site compliance audit strategy that WECC has implemented since This tailored audit strategy considers the inherent risks posed by the registered entities in choosing the appropriate monitoring engagement. WECC conducted a risk assessment of all entities scheduled for off-site audits in Based on the risk assessment, WECC will conduct off-site audits as usual for some entities. However, for most entities otherwise due for the off-site audit, WECC will substitute the annual Self-Certification process, combined with a focused validation of the annual Self-Certifications. WECC plans to continue to perform all on-site audits during 2015 as scheduled. 1

2 Inherent Risk Assessment (IRA) Process WECC Compliance will perform an IRA of registered entities to identify areas of focus and the level of effort needed to monitor compliance with NERC Reliability Standards for a particular Entity or category of Entity. While the IRA is similar in nature to what WECC has been doing in the past several years when scoping audits, the IRA will strengthen the process. In 2015, WECC plans to conduct IRAs for registered entities that have an on-site audit scheduled. If resources permit, during 2015 WECC may conduct IRAs for other registered entities as well. Internal Controls Evaluation (ICE) Process WECC Compliance may perform an ICE of certain registered entities to assess their internal controls, which may further focus the level and effort needed to monitor compliance with NERC Reliability Standards for a particular Entity. For 2015, WECC will roll out the ICE process on a limited basis. Any entity that has a scheduled audit in third or fourth quarters 2015 may volunteer for the ICE program. WECC will contact each such entity in early 2015 to provide more information and discuss the Entity s options. If a registered entity volunteers for the ICE process, WECC will evaluate its internal controls that support compliance with the Reliability Standards. WECC will assess the strength of these controls and provides the entity with feedback. WECC will use its evaluation of internal controls to determine the scope and depth of the compliance monitoring activity and any potential impacts on enforcement processing of violations and mitigation plans submitted by entities. Registered entities may elect not to participate in an ICE. In that case, WECC will use the results of the IRA to determine the appropriate compliance monitoring strategy. WECC also will provide more information in 2015 regarding the expansion of this program in 2016 and beyond. For Entities not eligible for this process in 2015, WECC will work with interested entities to recommend how it could focus on identifying, organizing, and strengthening detective, preventative and corrective controls pertaining to the Reliability Standards. WECC will post guidance specific to its ICE review process in early 2015 and will update ICE-related information during the year as appropriate. Internal Compliance Program Assessment (ICPA) WECC will continue its voluntary ICPA Program, originally launched during 2012, in The ICPA Program is a tool Entities can but are not required to use to assist in the development of strong Internal Compliance Programs (ICPs). WECC provides feedback, highlighting exemplary practices and providing recommendations for improvement where appropriate. As the ICE process develops, WECC will consider merging the ICPA process with the ICE process. CIP v5 Implementation In 2014, WECC made significant efforts to prepare both staff and registered entities to be compliant with CIP v5. WECC will follow NERC s Transition Guidance for CIP-related monitoring and enforcement during 2015, in anticipation of the 2016 compliance date. During 2014, WECC conducted numerous outreach activities and materials to assist registered entities in making the transition. All presentations and associated material are available via WECC s w ebsite. The WECC Cyber Security Audit Team will use the NERC CIP v5 transition guidance in conjunction with the NERC RAI program during its 2015 audit engagements. While maintaining its schedule of 2015 on-site audits, the WECC Cyber Security Audit Team will continue to engage its registered entities, NERC and the other Regions in ensuring a consistently applied audit approach on CIP v5. WECC encourages registered entities to take a proactive approach in transitioning to CIP v5. If registered entities encounter any issues in its transition, WECC encourages them to contact WECC to work through the issues. Physical Security Standard Implementation 2

3 WECC has been actively engaged in CIP-014 activities during 2014, dedicating resources and leveraging key relationships with Standard Drafting Team members and industry to inject subject matter expertise and practical experience into both the Standard and RSAW. WECC has a number of CIP auditors with strong physical security credentials. To share this expertise, WECC has developed and delivered multiple presentations to both industry and other Regions, providing a next-steps perspective aimed at aiding registered entities in a move toward increased security and compliance with CIP-014. Presentations and other materials are on WECC s website. 2. Regional Risk Assessment Process This section provides a description of how WECC assessed risk in the Western Interconnection and determined associated Reliability Standards for consideration its Regional compliance monitoring plan. In identifying risks, WECC considered risks identified by NERC in its risk elements Guide for Development of the 2015 CMEP IP. In addition, for the Western Interconnection, WECC specifically considered factors such as footprint and registered entity characteristics, registered functions, geographic locations, system events and trends, compliance history, SCADA systems, FERC Orders and Guidance, et al. A summary of the specific risks, and associated standards, follows, for both Critical Infrastructure Protection (CIP) and Operations and Planning (O&P) Standards: 3. Regional Risks and Associated Reliability Standards The standards identified below generally will be in scope for compliance monitoring for entities to which the standards apply, and thus they are similar to the Actively Monitored Lists in the past. During 2015, as WECC phases in and matures its RAI-related activities, it will begin to tailor monitoring activities to more closely match individual entity risks. WECC may contact individual Entities to provide more focused scope for audits or Self-Certifications, for example. WECC will give priority to focusing on entities scheduled for on-site audits during 2015, and to other Entities for which it may have conducted the Inherent Risk Analysis and, if applicable, the Internal Controls Evaluation. Critical Infrastructure Protection (CIP) Over the past several years, cyber security threats have been on the rise in the electricity sector. As Entities have become more reliant on automated systems and integrated technology, it has become more important to identify the cyber security risks associated with using these advanced technologies. While the electric sector has yet to experience a cyber-attack affecting reliable operation of the Bulk Power System, WECC believes the risk of a large-scale cyber-attack is significant and must be addressed to the extent possible through standards monitoring. To help focus compliance monitoring and enforcement efforts, WECC has identified seven cyber security areas of risk that pose the greatest threat to the Western Interconnection. WECC s Compliance Risk Analysis and Cyber Security Audit teams developed the seven areas of risk identified below. These risks were identified by considering the risks identified by NERC, the history of most violated CIP Standards in the Western Interconnection, and WECC s experience in conducting Cyber Security audits, reviewing self-disclosed violations, and professional expertise of Compliance Risk Analysis and Cyber Security Audit teams. Event and incident response, continuity of operations: This area relates to establishing and maintaining plans, procedures, and technologies to detect, analyze, and respond to cyber security events. Threat and vulnerability management: This area relates to establishing and maintaining plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cyber security threats and vulnerabilities. Risk management: This area relates to establishing, operating, and maintaining an enterprise cyber security risk management program to identify, analyze, and mitigate cyber security risk to the organization. 3

4 Asset and configuration management: This area relates to managing an entity s information technology assets, including hardware and software. Identity and access management: This area relates to creating and managing logical or physical access to an entity s assets. Workforce management: This area relates to establishing and maintaining plans, procedures, technologies, and controls to create a culture of cyber security and to ensure the ongoing suitability and competence of personnel. Situational awareness: This area relates to establishing and maintaining activities and technologies to collect, analyze, alarm, present, and use power system and cyber security information, including status and summary information. As part of this project, WECC also identified the CIP Standards most commonly associated with these areas of risk. Based on the degree of association of the CIP Standards with a given risk area, WECC created a list of Standards most closely associated with these areas of risk: Regional Risk Event and incident response, continuity of operations Threat and vulnerability management CIP Reliability Standards Subject to WECC Monitoring It is essential for registered entities to develop plans to respond to cyber-security events. Failure to do so could significantly increase the exposure of the threat and time a realized threat exists. Significant impact could occur if entities cannot properly and quickly respond to threats. This area has been reported on as needing attention in the NERC Cyber Attack Task Force final report and the ERO Priorities RISC Updates and Recommendations report. CIP-007 R6 CIP-008 R1 CIP-009 R2 Not having procedures to detect and respond to cyber CIP-005 R4 vulnerabilities could adversely affect organizational CIP-007 R8 operations, including logical and physical assets. This CIP-008 R1 risk area has been highlighted in the NERC Cyber Attack Task Force final report, ERO Priorities RISC Updates and Recommendations report, 2013 Long-Term Reliability Assessment report, and ERO Top Priority Reliability Risks report. Risk management A risk management program that oversees an CIP-002 R1 organization s cyber security risk could have far reaching CIP-008 R1 affects throughout all the entity's cyber security programs to mitigate threats both physical and logical. This area makes the foundation of a registered entity s cyber security framework. The DOE guide Risk Management Process highlights the need for cyber security risk management being a part of an organization s mission and business requirement. 4

5 Regional Risk Asset and configuration management Identity and access management Situational awareness Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan CIP Reliability Standards Subject to WECC Monitoring Not knowing which assets are performing critical functions for the entity could lead to misconfigured assets and lack of necessary protections for those assets. Since asset configurations impact the security and operation of every asset, it is critical to properly account for, and manage this area. CIP-002 R2 CIP-002 R3 CIP-003 R6 CIP-005 R1 CIP-007 R1 CIP-007 R2 CIP-007 R3 CIP-007 R4 Identity and access management is one of the most CIP-004 R4 important components of a registered entity s security CIP-005 R2 infrastructure. An entity s information assets must be CIP-006 R1 accessible only to individuals who are granted explicit CIP-006 R4 entitlements to specific information. Failure to manage CIP-007 R5 identity and access to cyber assets could allow malicious individuals to have access to key facilities, devices and services. Not having information about an entity s systems does not allow the entity to take corrective actions to detect and prevent failure and compromise. It is essential for registered entities to have awareness about their environment. Failing to do so could them from being protected against attacks. The RISC s ERO Priorities RISC Updates and Recommendations report, NERC s ERO Top Priority Reliability Risks report, and the Cyber Attack Task Force final report highlight this concern. CIP-005 R3 CIP-006 R5 CIP-007 R6 Operations and Planning (O&P) The O&P Audit team and Compliance Risk Analysis team have identified areas of risk to the Western Interconnection. These risks were identified by considering the risks identified by NERC documents (ERO Top Priority Reliability Risks and 2015 ERO Compliance Monitoring and Enforcement Implementation Plan), history of most violated Operations and Planning Standards in the Western Interconnection, Event analysis reports, WECC s experience in conducting Operations and Planning audits, reviewing self-disclosed violations, and professional expertise of WECC Compliance Risk Analysis and Operations and Planning Audit teams. Human Performance: This area relates to a range of issues facing the electricity industry today, including the imminent loss of critical skills and knowledge with the retirement of an aging workforce, cognitive overload of System Operators complicating the task of maintaining reliability, and an apparent shift in operating philosophy toward operating to standards rather than to reliability. Equipment Failure: This area relates to equipment failure due to aging infrastructure of generation facilities, transmission facilities, and substations. In addition to this, there is a risk associated with failure of adequate coordination with other entities and consideration of impact on the BPS. Changing Resources: Variable Generation Integration: This area refers to the composition of installed electric generation capacity that makes up the resource portfolio. Additionally this area also refers to the challenges faced due to integration of variable generation, planning for changes in system composition, replacing retired capacity or coal generation. 5

6 Protection System Reliability: This area relates to Special Protection Scheme/Remedial Action Scheme (SPS/RAS) effectiveness, SPS/RAS proliferation, misoperation of the protection system devices, and increasing RAS events. In addition to this, there is a risk associated with failure of adequate coordination with other entities and consideration of impact on the BPS. Situational Awareness: Situational awareness refers to the ability to see and comprehend what is happening on the system. This area relates to importance of including Real-Time Contingency Analysis (RTCA) Tools, next-day studies in planning studies. It also relates to inadequate data coordination, data failure, data shrinkage (unexpected outages of tools providing data to operators) leading to operators not having enough visibility to some or all the system they operate. Changing Load Composition: This area relates to changing load shape, changing load patterns, increased A/C penetration like plug-in vehicles. Vegetation and Right of Way issues: This area relates to outages that are caused due to inability to maintain vegetation like grow-in issues in the transmission line or Right of Way clearance issues. It refers to recently approved new NERC standard that specifically relates to the outages caused due to interrelationship between vegetation growth rates, vegetation control methods and inspection frequency which if ignored might lead to encroachment into minimum vegetation clearance distances. This can lead to loss of load or generation. Transmission Planning Adequacy: This area relates to need and importance of transmission study models in forecasting and monitoring load, transmission, generation, and facility devices. High-Impact Low-Frequency Events: This area relates to specific events that might not happen frequently but might pose a higher impact to the reliability of the BPS. Adequacy of Reserves: This area relates to changing Reserve Sharing requirements due to increasing risk of distributed generation, retirement of certain generations due to environmental regulations. As a result of this project, WECC identified the O&P Standards most commonly associated with these areas of risk. Based on the degree of association of the O&P Standards with a given risk area, WECC created a list of Standards most closely associated with these areas of risk: Regional Risk Human Performance O&P Reliability Standards Subject to WECC Monitoring Human Error has been responsible for many historical COM R2 outages. Human performance challenges encompass a PER R3 range of issues including the imminent loss of critical skills and knowledge with the retirement of an aging workforce, cognitive overload of System Operators complicating the task of maintaining reliability, and an apparent shift in operating philosophy toward operating to standards rather than to reliability. These issues are pervasive and require coordinated industry efforts to address. 6

7 O&P Reliability Standards Subject to WECC Monitoring Regional Risk Equipment Failure As the components of the BPS continue to age, the FAC-501-WECC-1 R3 likelihood of failure increases. Additionally, engineering PRC R2 margins have been minimized through advances in PRC R3 technology which means that BPS components PRC R4 construction practices are less robust. For example, a PRC R s transformer may have been over-built to take PRC R2 system changes, but today s transformers are built with PRC R1 thinner margins and are less likely to withstand system PRC R1 dynamics as well. Hence, tracking the rate of occurrence aids industry in understanding and identifying potential systemic issues, such as manufacturing flaws or operational practices. Changing Resources: Variable Generation Integration The 2013 and 2014 NERC State of Reliability Reports identified AC substation equipment failure as significant contributors to disturbance events, with a positive correlation to increased transmission outage severity. With the increased installation of variable generation, fluctuations in generation and load increase the dependency of system reserves, peaking plants, and energy storage systems. Also, as generation and load fluctuate, facilities need to ramp up and down more frequently increasing maintenance requirements and the risk of mechanical and electrical failures. BAL-002-WECC-2 R1 BAL-002-WECC-2 R2 BAL-002-WECC-2 R3 BAL-002-WECC-2 R4 As more renewable resources are brought online and traditional resources are decommissioned, the available rotating inertia and base-load is reduced which may increase the risk to BES stability. Maintaining resource adequacy will be an ongoing challenge as the resource mix changes. As noted in the WECC annual Power Supply Assessment Report s current projection, the reserve margins will be adequate for the next seven to ten years. Changes outside the assumptions used in resource adequacy evaluations could present challenges. Coal plants are also used for base loading. With the expansion in variable generation, base load plants are needed to provide operating reserves during periods of generation fluctuations (solar and wind). The loss of these plants will increase generation availability risk and grid volatility. 7

8 Regional Risk Protection System Reliability Situational Awareness Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan O&P Reliability Standards Subject to WECC Monitoring A failure of the protection system reliability could result in increased risk of cascading events, system instability, and interconnection separations. While protection systems continue to be upgraded to microprocessor based systems, the older Electro-Mechanical and solid state designs are still used and, given their age, impose a risk to reliability. Additionally, interaction of Remedial Action Scheme (RAS) poses a challenge. RAS are designed and tested for specific systems or parts of systems, so their operation in protecting those systems is well understood. But understanding of how RAS interact or impact one another is less well understood. Evaluating the potential interactions, and then managing those interactions that present a risk, is important for reliability. PRC R3 PRC R4 PRC R5 PRC R6 PRC a R1 PRC a R2 PRC-004-WECC-1 R1 PRC-004-WECC-1 R2 PRC R2 PRC R3 PRC R4 PRC R1 PRC R2 PRC R1 PRC R1 PRC R2 PRC R1 PRC R1 PRC R1 Situational Awareness refers to the ability to see and COM R1 comprehend what is happening on the system. There EOP R2 are a number of processes necessary to maintaining EOP R1 situational awareness, including real-time monitoring EOP R9 and real-time and near-term contingency analysis EOP R10 studies. The coordination and sharing of data is critical EOP R3 to situational awareness because each process relies on EOP R4 various types of data. The lack of adequate situational IRO R6 awareness limits entities ability to identify and plan for IRO R7 the next most critical contingency, which, in turn, IRO R8 impacts the reliability of the entire system. IRO a R1 IRO R1 IRO R2 PER R3 TOP b R4 TOP b R11 TOP b R19 TOP R6 TOP R2 TOP-007-WECC-1a R1 8

9 Regional Risk Changing Load Composition Vegetation and Right of Way issues Transmission Planning Adequacy High-Impact Low- Frequency Events Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan O&P Reliability Standards Subject to WECC Monitoring Load composition refers to the combination of energy BAL-002-WECC-2 R1 consumption patterns, e.g., peaks, and types of BAL-002-WECC-2 R2 demand, e.g., residential or commercial. Both BAL-002-WECC-2 R3 consumption patterns and types of demand are BAL-002-WECC-2 R4 changing. Future changes to load composition could PER R3 present operational and planning challenges like TPL R1 mechanism for reducing demand, mechanism for TPL-002-0b R1 removing load, high penetration of new types of TPL-003-0b R1 demand and load changes that affect stability TPL-004-0a R1 considerations. Vegetation management and Right of Way issues refer FAC R1 to the encroachment of vegetation due to lack of FAC R2 trimming or due to incorrect clearances of the FAC R6 transmission lines. Aging transmission lines might not FAC R7 adhere to the minimum clearances. Having less clearance along with vegetation growth issues could lead to vegetation related outages. Per NERC Technical Reference, trees that have grown out of specification could contribute to a cascading grid failure, especially under heavy electrical loading conditions. Maintaining a healthy transmission system is vital for FAC R5 reliability of the grid. Transmission Planning adequacy FAC R6 refers to accuracy and reliability of various study models TOP R6 to study load forecast, transmission system behavior for TOP R2 addition or retirement of generating facilities and facility TOP R4 designs. A coordinated and accurate transmission model TPL R1 becomes important for identifying system behaviors and TPL-002-0b R1 planning for future load demand. Additionally, planning TPL-003-0b R1 and operational models that use different TPL-004-0a R1 representations lead to inconsistent understanding of contingencies and duplication of modeling efforts, both of which may lead to inaccurate prediction of power system behavior. High-impact low-frequency events refer to events such EOP b R2 as coordinated physical or cyber-attack, pandemic, EOP b R3 geomagnetic disturbance, or large-scale disasters. A EOP b R4 coordinated attack on the electric system could result in EOP R8 damage to key systems and components and render EOP R1 part or all of the system inoperable for an extended EOP R6 period of time. EOP R9 EOP R10 EOP R11 EOP R17 EOP R1 EOP R9 EOP R10 EOP R3 9

10 Regional Risk Adequacy of Reserves Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan O&P Reliability Standards Subject to WECC Monitoring Plant retirements due to implemented environmental regulations increase uncertainty in future resources. Additionally, other potential environmental regulations are leading to cases where resources may be inadequate to ensure firm demand is served at all times. As the system continues to change, some concerns are identified with insufficient reserve margins by some entities. EOP R4 PER R3 BAL-002-WECC-2 R1 BAL-002-WECC-2 R2 BAL-002-WECC-2 R3 BAL-002-WECC-2 R4 4. Compliance Oversight Plan WECC will perform all on-site audits during 2015 as scheduled, as required by the NERC Rules of Procedure. Entities scheduled for on-site audits during 2015 are included in the table titled 2015 Audit Schedule below. For all such audits, WECC will apply a risk-based approach in accordance with the RAI. For Entities due for an off-site audit during 2015, WECC has conducted a risk assessment. Based on that assessment, WECC has, for most of these entities, substituted the annual Self-Certification process for reporting year 2014 combined with a focused validation of the Self-Certifications. WECC will conduct off-site audits as scheduled for all other Entities. Entities still scheduled for an off-site audit are included in the 2015 Audit Schedule below Compliance Audits WECC will conduct scheduled Compliance Audits for 2015 using the Reliability Standard Requirements listed in the tables titled CIP Reliability Standards Subject to WECC Monitoring and O&P Reliability Standards Subject to WECC Monitoring in Section 3 above (collectively, the Reliability Standards Subject to WECC Monitoring in 2015 ) as a baseline, as well as an Entity s Registered Functions. A summarized list of CIP and O&P Reliability Standards subject to Audit for 2015 is included in the Reliability Standards Subject to WECC Monitoring 2015 document on the WECC website. The scope of each audit, however, may be adjusted based on WECC s risk IRA (and ICE if available) of the registered entity. Annual Self-Certification As noted in WECC s 2014 CMEP Implementation Plan, the annual Self-Certification for reporting year 2014 will begin December 15, 2014, when WECC will post the Self-Certification Schedule and Forms and send notification to registered entities. The submittal period will run from January 1 through March 2, In 2016, WECC will conduct the annual Self-Certification for reporting year WECC will post the Self- Certification Schedule and Forms and send the Self-Certification notification to registered entities on December 15, The notification will inform Entities of the reporting period (January 1 through December 31, 2015) and the submittal period (January 1 through March 1, 2016), as well as provide information on the Reliability Standard Requirements covered. Subject to an entity s Registered Functions, the Reliability Standards Requirements for Self-Certification will be determined, in part, by those listed in the tables titled CIP Reliability Standards Subject to Regional Monitoring and O&P Reliability Standards Subject to Regional Monitoring in Section 3 above. In addition, Reliability Standard Requirements listed in the table titled Additional Reliability Standards Subject to Self-Certification below is included to make up the Self- Certification baseline. A summarized list of Reliability Standards subject to Self-Certification for 2015 is included in the Reliability Standards Subject to WECC Monitoring 2015 document on the WECC website. The 10

11 scope of each Self-Certification, however, may be adjusted based on WECC s IRA (and ICE if available) of the registered entity. WECC may also validate the accuracy of Self-Certification submittals of Compliant, Not Applicable and/or Do Not Own through various analyses, including sending data requests to registered entities for randomly selected Self-Certifications for certain Reliability Standard Requirements and Registered Functions. Regional Risk Repeat Violations Additional Reliability Standards Subject to Self-Certification Reliability Standard Requirements with repeat violations CIP-002 R4 over the most recent 12-month period can be one CIP-003 R2 indication of the possibility of increased risk. These CIP-004 R3 Standard Requirements are included in addition to those CIP-005 R5 listed in the tables in Section 3 titled CIP Reliability CIP-006 R2 Standards Subject to Regional Monitoring and O&P CIP-006 R6 Reliability Standards Subject to Regional Monitoring to CIP-007 R9 form the baseline of Reliability Standard Requirements CIP-009 R5 subject to Self-Certification for reporting year EOP-001 R5 FAC-008 R2 FAC-008 R3 FAC-010 R1 FAC-010 R4 FAC-010 R3 IRO-010 R3 PER-005 R1 PRC-005 R1 VAR-001 E.A.14 VAR-002 R3 VAR-002 R2 11

12 Periodic Data Submittals (PDS) As part of the CMEP, registered entities must submit Periodic Data Submittals (PDS) on schedules required by applicable Reliability Standards, or as established by NERC, or on an as-needed basis where requested by WECC. These Reliability Standards are listed in the table below titled Reliability Standards Subject to Periodic Data Submittal. A summarized list at the Sub-Requirement level is also included in the Reliability Standards Subject to WECC Monitoring on the WECC website. Reliability Standards Subject to Periodic Data Submittal These Reliability Standards include requirements for registered entities with BAL R1 applicable Registered Functions to submit data on a periodic basis as BAL R2 indicated in the Requirement or relevant Sub-Requirement. BAL R1 BAL R2 BAL R3 BAL R4 BAL R5 BAL R6 BAL b R1.2 BAL R4 COM R2 EOP R2 FAC R1 FAC R2 FAC R6 FAC R7 IRO-006-WECC-1 R1 IRO-006-WECC-1 R2 PRC a R3 PRC-004-WECC-1 R3 PRC R1 PRC R5 PRC R6 TPL-002-0b R3 TPL-003-0b R3 TPL-004-0a R2 VAR-002-WECC-1 R1 VAR-002-WECC-1 R2 VAR-501-WECC-1 R1 VAR-501-WECC-1 R2 12

13 2015 Audit Schedule Note that the WECC audit schedule may be revised from time to time during Thus, the 2015 Audit Schedule shown below for both on-site and off-site audits applies only as of November, The most up-to-date audit schedule, including all revisions and updates, is on the WECC s website here: WECC 2015 Audit Schedule. The on-line schedule should be consulted to ensure accuracy as this 2015 IP will not be republished and re-posted to reflect each change to the audit schedule during NCR05335 NCR11458 NCR10292 NCR05402 NCR # 2015 Audit Schedule Registered Entity Public Utility District No. 1 of Snohomish County RockTenn Shiloh Wind Project 2, LLC Southwest Transmission Cooperative, Inc. NCR05321 Platte River Power Authority NCR05441 US Bureau of Reclamation NCR05441 US Bureau of Reclamation NCR10310 Brush Cogeneration Partners NCR10311 Colorado Energy Management - BCP NCR10347 Panoche Energy Center LLC NCR11150 GenOn Delta NCR10289 Peak Reliability NCR05282 NorthWestern Corporation NCR05153 Eugene Water & Electric Board NCR05106 Colorado Springs Utilities NCR05465 Western Area Power Administration - Sierra Nevada Region NCR05430 Transmission Agency of Northern California NCR10323 Midway Peaking, LLC NCR11054 South Feather Power Project NCR10350 Windy Flats Partners, LLC NCR10030 Tri-State Generation and Transmission Association, Inc. - Reliability NCR11226 Intermountain Rural Electric Association NCR05377 San Diego Gas & Electric NCR05315 Pend Oreille County Public Utility District No. 1 NCR10348 Sunray Operating Services, LLC NCR10349 EthosEnergy Group NCR10345 Three Buttes Windpower LLC NCR05030 Black Hills Corporation NCR05206 Klickitat County PUD NCR05163 NextEra Energy Resources, LLC NCR05191 Idaho Power Company NCR05366 Rocky Mountain Reserve Group NCR05281 Northwest Power Pool Reserve Sharing Group NCR10378 Colorado Energy Management - MPC NCR05464 Western Area Power Administration - Rocky Mountain Region NCR05023 Basin Electric Power Cooperative 13

14 2015 Audit Schedule NCR # Registered Entity NCR05315 Pend Oreille County Public Utility District No. 1 NCR05299 Pacific Gas and Electric Company NCR05398 Southern California Edison - Transmission & Distribution Business Unit NCR10396 Otay Mesa Energy Center, LLC NCR11104 NAES Corporation - Harvest Wind Project NCR05377 San Diego Gas & Electric NCR05299 Pacific Gas and Electric Company NCR05048 California Independent System Operator NCR03036 Trans Bay Cable LLC 5. Compliance Outreach WECC conducts seminars and workshops for Registered Entities to assist them in their compliance activities. The seminars and workshops are important learning exercises for those subject to Reliability Standards. During 2015, WECC will continue its outreach efforts to provide education, seminars, workshop and panel discussions to increase registered entities awareness of and understanding of Reliability Standards. A few of WECC's outreach efforts are as follows: Compliance Outreach Activities Outreach Activity Anticipated Date Compliance User Group (CUG)/Critical Infrastructure Protection User Group January 27-29, 2015 (CIPUG) Anaheim, CA Compliance User Group (CUG)/Critical Infrastructure Protection User Group June 2-4, 2015 (CIPUG) Portland, OR Compliance User Group (CUG)/Critical Infrastructure Protection User Group October 13-15, 2015 (CIPUG) San Diego, CA CIP 101 Seminar Sept. 9-10, 2015 Salt Lake City, UT CIP Low Impact Assets Seminar Feb. 3-5, 2015 Salt Lake City, UT WECC Open Webinar Third Thursdays of most months Compliance 101 Webinar Three times a year prior to CUG/CIPUG Monthly Open Webinars Since many of the questions the WECC Compliance Staff receives are very similar, WECC answers questions in an open forum for greater efficiency. WECC Compliance Subject Matter Experts participate on this webinar and respond to questions. In fairness to everyone on the call, WECC does not address entityspecific questions and issues. Compliance User Group (CUG) The CUG meeting provides in-depth, in-person, and detailed training and education through structured lecture and presentation, panels of experts, interactive dialog in an open forum, direct question and answer sessions and invaluable networking opportunities. Workshops cover the entire compliance sphere with focus reflecting the attendees and industries issues. These meetings provide direct access to the 14

15 WECC Compliance management team, staff, and Subject-Matter Experts. Participants may also attend telephonically or via webinar. Critical Infrastructure Protection User Group (CIPUG) The mission of the CIPUG is to provide an open forum for the exchange of information regarding the WECC Compliance Program's enforcement of mandatory CIP Standards in the Western Interconnection. Its meetings are structured similarly to those of the Compliance User Group, and it is a forum for WECC to provide information regarding NERC and WECC CIP activities and related training and workshops for registered entities on an as-needed basis. Information for these workshops and seminars (and others as they are finalized) and the dates on which they are scheduled to occur will be posted on the WECC website. 15