Appendix A3 - Northeast Power Coordinating Council (NPCC) 2015 CMEP Implementation Plan for Entities within the U.S.

Similar documents
Québec Reliability Standards Compliance Monitoring and Enforcement Program Implementation Plan Annual Implementation Plan

New Brunswick 2018 Annual Implementation Plan Version 1

2018 MRO Regional Risk Assessment

Cyber Security Reliability Standards CIP V5 Transition Guidance:

Risk-Based Compliance Monitoring & Enforcement Oversight Framework. FRCC Spring Compliance Workshop April 14 16, 2015

Multi-Region Registered Entity Coordinated Oversight Program

Critical Infrastructure Protection Version 5

Compliance Enforcement Initiative

Appendix A8 - Western Electricity Coordinating Council (WECC) 2015 CMEP Implementation Plan

Impacts and Implementation: NERC Reliability Standards, Compliance Initiatives, and Regulatory Activities

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

NERC and Regional Coordination Update. Operating Committee Preston Walker January 9, 2018

Risk-Based Approach to Compliance Monitoring and Enforcement

NERC CIP Information Protection

2017 MRO Performance Areas and an Update on Inherent Risk Assessments

Procedure For NPCC Bulk Electric System Asset Database

NERC Overview and Compliance Update

British Columbia Utilities Commission Reliability Standards with Effective Dates adopted in British Columbia

Critical Asset Identification Methodology. William E. McEvoy Northeast Utilities

Meeting- Overview of. Development

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Standards Development Update

ERO Enterprise IT Projects Update

Disclaimer Executive Summary Introduction Overall Application of Attachment Generation Transmission...

Reliability Standards Development Plan

Physical Security Reliability Standard Implementation

DRAFT Reliability Standard Audit Worksheet 1

Standards Authorization Request Form

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Standard Development Timeline

Internal Controls Evaluation (ICE) Tony Eddleman, P.E. NERC Compliance Manager Nebraska Public Power District

Reliability Standard Audit Worksheet 1

requirements in a NERC or Regional Reliability Standard.

2017 ERO Enterprise Compliance Monitoring and Enforcement Implementation Plan

Board of Trustees Compliance Committee

Proposed Convention for Numbering of NERC Reliability Standards Draft September 9, 2004

Standard CIP Cyber Security Critical Cyber As s et Identification

State of Reliability Report 2013

Cyber Security Standards Drafting Team Update

Cyber Threats? How to Stop?

Standard Development Timeline

CCC Compliance Guidance Task Force. Patti Metro, Manager, Transmission & Reliability Standards, NRECA Compliance Committee May 4, 2016

Standards Authorization Request Justification

Compliance Exception and Self-Logging Report Q4 2014

Lee County Electric Cooperative, Inc.

Standards Authorization Request Form

History of NERC December 2012

Internal Controls Procedure

CIP Version 5 Evidence Request User Guide

DRAFT. Cyber Security Communications between Control Centers. March May Technical Rationale and Justification for Reliability Standard CIP-012-1

Reliability Standard Audit Worksheet 1

Implementing Cyber-Security Standards

Title. Critical Infrastructure Protection Getting Low with a Touch of Medium. CanWEA Operations and Maintenance Summit 2018.

Unofficial Comment Form

Standard CIP Cyber Security Critical Cyber As s et Identification

CIP Cyber Security Personnel & Training

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Cyber Security Incident Report

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

NERC-Led Technical Conferences

Québec Interconnection Approach to BES

2014 Annual Compliance Assessment

CIP Cyber Security Critical Cyber Asset Identification. Rationale and Implementation Reference Document

Reliability Compliance Update. Reliability Standards and Compliance Subcommittee Preston Walker August 16, 2018

History of NERC January 2018

Regulatory Impacts on Research Topics. Jennifer T. Sterling Director, Exelon NERC Compliance Program

Reliability Standard Audit Worksheet 1

Breakfast. 7:00 a.m. 8:00 a.m.

Standard Development Timeline

FERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

NERC and Regional Coordination Update

Registration & Certification Update

Reliability Standard Audit Worksheet 1

Purpose. ERO Enterprise-Endorsed Implementation Guidance

Misoperations Information Data Analysis System (MIDAS)

History of NERC August 2013

Summary of FERC Order No. 791

CIP Version 5 Transition. Steven Noess, Director of Compliance Assurance Member Representatives Committee Meeting November 12, 2014

CIP Cyber Security Personnel & Training

Member Representatives Committee Meeting

Grid Security & NERC

Violation Risk Factor and Violation Severity Level Justifications Project Modifications to CIP Standards

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Critical Infrastructure Protection Committee Strategic Plan

Unofficial Comment Form Project Operating Personnel Communications Protocols COM Operating Personnel Communications Protocols

Standard CIP 004 3a Cyber Security Personnel and Training

2015 Risk Element: Extreme Physical Events

Standard Development Timeline

NERC Staff Organization Chart Budget

Project Retirement of Reliability Standard Requirements

CIP Standards Development Overview

ERO Enterprise Registration Practice Guide: Distribution Provider directly connected Determinations Version 2: July 5, 2018

Project Cyber Security - Order No. 791 Identify, Assess, and Correct; Low Impact; Transient Devices; and Communication Networks Directives

This draft standard is being posted for an initial comment and ballot. The draft includes modifications to meet the directives of FERC Order No. 791.

Chief Executive Officer. Pacific Northwest Utilities Conference Committee Portland, Oregon March 8, 2013

playbook OpShield for NERC CIP 5 sales PlAy

A. Introduction 1. Title: 2. Number: 3. Purpose: 4. Applicability: 4.1. Functional Entities: Balancing Authority Distribution Provider

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Electric Transmission Reliability

Transcription:

Appendix A3 - Northeast Power Coordinating Council (NPCC) 2015 CMEP Implementation Plan for Entities within the U.S. This Appendix contains the CMEP Implementation Plan (IP) for the registered entities within the U.S. portion of NPCC as required by the NERC Rules of Procedure. 1. Compliance Monitoring and Enforcement 1.1 CMEP IP Highlights and Material Changes NPCC will continue to implement a cyber-security outreach program that consists of NPCC Subject Matter Experts visiting critical facilities owned by participating entities (participation is voluntary) and assessing the cyber security posture of the control systems that support the operation of these facilities. NPCC will continue the physical security outreach program in 2015 (participation is also voluntary) and NPCC staff will hold a Security Information Exchange session, which will include entity presentations, at the spring and fall Compliance Workshops. As part of the CIP Version 5 transition and consistent with NERC guidance, NPCC will perform CIP audits based on the entity s selected option for maintaining compliance with CIP standards during the Transition Period: Continue to comply by maintaining a valid RBAM for Critical Asset identification pursuant to CIP-002-3. For Responsible Entities that have already adopted the CIP V4 Critical Asset Criteria (CIP-002-4, Attachment 1), use the CIP V4 Critical Asset Criteria in its entirety, with the exception of criterion 1.4 (Blackstart Resources) and criterion 1.5 (Cranking Paths), to identify assets subject to the controls in CIP-003-3 through CIP-009-3. Use the CIP V5 High and Medium Impact Rating Criteria (CIP-002-5.1, Attachment 1) to identify assets subject to the controls in the CIP V5 Standards. Option 1 Option 2 Option 3 The on-site CIP Audits will be conducted as directed in the Guidance document. CIP Audits of those entities that have not chosen to move to Version 5 (Options 1 and 2) will be audited to Version 3. If an entity indicates that they have adopted CIP Version 5 (Option 3), NPCC will review their compliance with Version 5 Standards. In all cases, NPCC s approach would be to perform a review of those Standards / Requirements that are mostly compatible with the Version 5 Standards. Since Version 3 is enforceable until July 1, 2016, no findings of non-compliance with Version 5 Standards will be issued. A non-public document will be issued indicating any areas of concern where future compliance with version 5 may be in jeopardy. Previously, off-site CIP audits had been conducted to verify that an entity does not have any Critical Cyber Assets. In accordance with the recently released CIP Transition Guidance, there are no off-site CIP audits scheduled in 2015. NPCC may include selected Spot Checks in place of the Off-site CIP Audits. NPCC will be providing more details on the CIP approach to Compliance Monitoring in an upcoming Webinar (date not yet determined) and at our Compliance Workshops. 1.2 Other Regional Key Initiatives & Activities NPCC will continue to participate in the Risk Based Registration Advisory Group (RBRAG) which is charged with the ERO-wide development of criteria for risk-based registration. 28

NPCC will continue to participate in the Reliability Assurance Initiative Advisory Group (RAIAG) which is monitoring and ensuring the uniform ERO-wide implementation of RAI monitoring and enforcement activities. NPCC will continue to participate in the RAI Program related to the Logging (Aggregation) of Minimal Risk Issues. NPCC also expects to treat certain minimal risk violations as Compliance Exceptions. NPCC will continue to be a member of the RAI Regional Entity Group (RAIRE), which is formulating the overall RAI Training and ICE protocol and guidance documents. NPCC supported all six Webinars associated with the NERC Compliance Auditors Handbook and ERO Checklist. NPCC will continue to provide input to the NERC Manual Task Force (MTF) tasked with maintaining the Auditors Handbook and enhancing Auditor Tools. NPCC will continue to participate in the development of a program to implement CIP-014-1, Physical Security. NPCC will continue to participate in the NERC CIP Version 5 Transition Guidance workgroup. As part of the Events Analysis process, NPCC will continue to encourage registered entities to perform a voluntary, systematic Compliance Analysis (CA) in response to all system events and disturbances. Registered entities are also expected to share the CA with the RE for all Category 2 and above events. 2. Regional Risk Assessment Process NPCC s Regional Risk Assessment Process is a summary and compilation of specific parts of NPCC s Entity Inherent Risk Assessment process and NERC s IRA Assessment Guide that takes into account the nine areas of focus for 2015 consideration. 1. Infrastructure maintenance 2. Uncoordinated protection systems 3. Protection systems misoperations 4. Workforce capability 5. Monitoring and situational awareness 6. Long term planning and system analysis 7. Threats to cyber systems 8. Human error 9. Extreme physical events NPCC s Regional Risk Assessment Process includes the following: 2.1 Functional Registration Impact Profile The Functional Registration Impact Profile is used to populate NPCC s standards subject to Regional monitoring. It considers the potential effect on the reliability of the Bulk Power System (BPS) based on NPCC s Regional perspective and registered entity s functions. The following table shows the initial impact classification of registered entities. Assignment of Initial Functional Registration Impact High Impact Medium Impact Low Impact RC/BA TO w/o BES facilities GO/GOP under 200 MW TOP GO /GOP between 200 MW and 500 MW DP peak load under 1000 MW TO w/ BES facilities DP peak load over 1000 MW GO /GOP over 500 MW 29

2.2 NPCC Regional Compliance History NPCC will examine the past compliance history of the entire Region. This will include an identification of the Standards and Requirements that have been violated the most within the NPCC Region. It will examine past audit performances, including the number and type of violations that were discovered through audits compared with the number and type of violations that were discovered through self-reports or Self- Certifications. It will also incorporate any issues or problems that may have been identified that did not result in a potential violation. 2.3 NPCC Regional Enforcement History Profile NPCC will analyze violations to identify any trends regarding: Level of risk to the BPS (operational vs. documentation) Timeframes of violations (real time, next day, planning) Number of repeat violations 2.4 NPCC Overall Evaluation Based on a registered entity s function, NPCC will specifically examine impact and violations based on the following: RC Qualifying IROL/SOL events Qualifying loss of load events BA DCS Performance (ACE or restoration of reserve) Qualifying IROL/SOL events Qualifying loss of load events TO/TOP Qualifying IROL/SOL events Protection System Misoperations Qualifying loss of load events GO Protection System Misoperations 3. Regional Risks and Associated Reliability Standards The table below contains the Regional risk elements identified during the Regional Risk Assessment. The table also contains associated Reliability Standards/Requirements to identified risks that may be considered in the Regional compliance oversight plan. Regional Risk Focus Areas Uncoordinated Protection Systems; Protection System Misoperations; Monitoring and Situational Awareness Infrastructure Maintenance Reliability Standards Subject to Regional Monitoring Associated Standard & Justification Requirement(s) NPCC identified three risk elements where it was PRC-002-NPCC-01 necessary to develop a Regional Standard to ensure that applicable entities had Disturbance Monitoring Equipment and capabilities to monitor and capture adequate disturbance data to facilitate Bulk Electric System event analyses. FAC-003-3 R1,R2,R4,R5,R6,R7 30

Regional Risk Focus Areas Uncoordinated Protection Systems Reliability Standards Subject to Regional Monitoring Justification Associated Standard & Requirement(s) PRC-006-1 R8,R9,R10 PRC-015-0 R1 NPCC reliability area of focus in 2015 Workforce Capability NPCC reliability area of focus in 2015 PRC-005-1.1b R1,R2 PRC-023-3 R1 to R6 IRO-005-3.1a R6,R7 TOP-002-2.1b R5,R6,R7,R8,R10,R14 TOP-008-1 R1,R2,R3 TOP-007-0 R1 to R4 Monitoring and Situational Awareness Process is critical to maintaining the power system equipment capability/reliability VAR-002-2b R1 to R3 BAL-001-1 R1 to R4 BAL-002-1 R1 to R6 BAL-003-0.1b R2,R3,R5 Conditions/equipment/capability to perform the functions can change as technology changes COM-001-1.1 R1,R2 Long Term Planning and System Analysis NPCC reliability area of focus in 2015 NPCC reliability area of focus in 2015 IRO-005-3.1a R9,R12 IRO-009-1 R3 MOD-001-1a R2 to R5 and R7 to R9 Human Error Extreme Physical Events MOD-029-1a R1 to R8 TPL-003-0b R1 to R3 PER-003-1 R2 EOP-001-2.1b R2,R6 EOP-002-3.1 R1,R3,R5 EOP-005-2 R2 4. Compliance Oversight Plan The specific list of audited standards will be contained in the entity s audit notification letter sent at least 90 days prior to the scheduled audit. The specific list of 2015 Self Certifications, applicable registered functions, dates, and scheduled reporting dates will be posted on the NPCC website. The link to the Self Certification Schedule is: https://www.npcc.org/compliance/compliance%20reporting%20schedules/forms/public%20list.aspx 31

NPCC will not audit Interchange Authorities, Load Serving Entities or Purchase-Selling Entities in 2015. The audit schedule is also located on the NPCC s website here: https://www.npcc.org/compliance/audit%20schedule/2015%20preliminary%20audit%20schedule.pdf Audits of Canadian Entities will be conducted in accordance with the appropriate agreements. The following U.S. entities are scheduled for an audit in 2015: 2015 Compliance Audit Plan NCR # Registered Entity NCR00538 Astoria Energy, LLC NCR11377 Brayton Point Energy, LLC NCR11324 Brookfield White Pine Hydro, LLC NCR07024 Burlington Electric Department NCR07025 Calpine Energy Services NCR07026 Capitol District Energy Center Cogeneration Associates, JV NCR07029 Central Maine Power Company NCR00200 Dynegy Power, LLC NCR04057 Exelon Generation Co., LLC (Power) NCR07087 Flat Rock Windpower L.L.C. NCR07090 Fortistar North Tonawanda NCR11121 GenOn East 1 NCR07101 Granite Ridge Energy, LLC NCR07108 Huntley Power LLC NCR07111 Hydro-Quebec Production NCR00124 Ipswich Municipal Light Department NCR07124 ISO-NE NCR07130 KIAC Partners NCR11339 Lakeside New York LLC NCR00164 Littleton Electric Light Department NCR07132 Lockport Energy Associates NCR07133 Long Island Power Authority NCR11287 Marble River LLC NCR00208 Marblehead Municipal Light Department NCR07136 Mass. Municipal Wholesale Electric Company NCR07139 MASSPOWER NCR07141 Middletown Power LLC NCR07128 National Grid Generation LLC NCR07154 New Athens Generating Company, LLC NCR07091 New Hampshire Transmission, LLC NCR07160 New York Independent System Operator NCR10332 NextEra Energy Resources, LLC NCR07180 NSTAR Electric Company NCR07181 NYSEG NCR11337 ReEnergy Black River NCR11152 Tanner Street Generation, LLC NCR00543 TC Ravenswood LLC NCR00088 TC Ravenswood Services Corp. NCR07220 TransCanada Hydro Northeast Inc 32

2015 Compliance Audit Plan NCR # Registered Entity NCR07228 Vermont Transco, LLC 5. Compliance Outreach Compliance Outreach Activities Outreach Activity NPCC utilizes its semi-annual workshops as a primary mechanism for outreach to its registered entities. An Introduction to NPCC presentation is included at each workshop. NPCC conducts webinars open to all NPCC registered entities on an as needed basis. It also posts webinar question-and-answer documents as appropriate. NPCC responds to individual requests from registered entities, but if an individual concern can be applied to all registered entities, NPCC will post a Compliance Guidance Statement or clarification to address that concern. Anticipated Date 2015 workshop dates: May 19-21 and Nov 17-19. NPCC conducts surveys of its registered entities as needed to acquire registration data, BES element data, workshop content preferences, etc. NPCC hosts monthly Compliance Committee meetings to disseminate the latest information regarding the compliance program to industry stakeholders. In 2013, NPCC implemented a Physical Security Outreach Program. Under this continuing program, NPCC physical security subject matter experts perform voluntary physical security assessments for certain registered entities. NPCC developed a Cyber Security Outreach Program that began in 2014 and will continue in 2015. In 2015, NPCC will institute a CIP Version 5 transition outreach program. NPCC developed an internal entity guide to assist registered entities in meeting quarterly reporting requirements pursuant to PRC-004 and NERC ALR4-1. The NPCC website includes links associated with the areas of Standards, Registration, Compliance Monitoring, and Enforcement. 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback