Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.
-
Upload
bartholomew-quinn -
Category
Documents
-
view
215 -
download
0
Transcript of Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.
Background
Overview – Initial TFE Program Proposal (dated March 16, 2009)
Overview - “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions” (dated July 1, 2009)
Where Are We Today?◦ “Joint NERC and RE Proposal to Implement TFE
Evaluations”
Next Steps
2© ReliabilityFirstCorporation
January 18, 2008: FERC issued Order No. 706 approving mandatory Reliability Standards for CIP and directed NERC to establish a procedure for the submission, review, audit and approval of Technical Feasibility Exceptions (TFEs)
◦ Specifically, NERC as the ERO was directed “to develop a set of conditions or criteria that a responsible entity must follow when relying on the technical feasibility exception contained in specific requirements of the CIP Reliability Standards.”
◦ Also, “technical feasibility exceptions should be reported, justified and subject to approval by the ERO or relevant Regional Entity.”
3© ReliabilityFirstCorporation
March 16, 2009: NERC posted a “Request for Comments on Proposed Procedure for Requesting and Receiving Technical Feasibility Exceptions to NERC CIP Standards and Related Amendments to NERC Rules of Procedure” - Initial TFE Program Proposal◦ April 30, 2009: Comments due◦ April-May, 2009: Over 50 different sets of comments
were received Review of comments and evaluation of additional
approaches is ongoing
4© ReliabilityFirstCorporation
May 16, 2009: Order No. 706-A issued◦ FERC “expects Regional Entities to process and
evaluate requests for technical feasibility on a fair and consistent basis.”
◦ NERC would have discretion to develop uniform procedure (i.e. revision to NERC RoP) to establish level of consistency in processing TFEs
5© ReliabilityFirstCorporation
July 1, 2009: NERC released “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions”◦ Provides guidance to REs and affected Registered
Entities concerning applicability & implementation of NERC CIP Standards that refer to “technical feasibility” and/or “technical limitation” pending the adoption of permanent program to address TFEs.
6© ReliabilityFirstCorporation
Applicable only to specific requirements in CIP-002 through CIP-009
Proposed process was a modification to the NERC Rules of Procedure
Modeled after the Self Report of Non-Compliance with Mitigation Plan
An “Exception” not an “Exemption” from Compliance
7© ReliabilityFirstCorporation
Applicable Requirement: A Requirement of a CIP standard that expressly provides either◦ (i) that compliance with the terms of the
Requirement is required where or as technically feasible, or
◦ (ii) that technical limitations may preclude compliance with the terms of the Requirement
Covered Asset: A Cyber Asset or Critical Cyber Asset that is subject to an Applicable Requirement
8© ReliabilityFirstCorporation
Eligible Reviewer: A person who has the required security clearances or other qualifications, or who otherwise meets the applicable criteria, to have access to classified National Security Information, NRC Safeguards Information, or Protected FOIA Information, as applicable to the particular information to be reviewed.
Expiration Date: The date on which a TFE expires, as specified in the approved TFE Request or in a Notice of Revocation.
9© ReliabilityFirstCorporation
National Security Information (NSI): Information classified by an Executive Order, whose compromise would cause some degree of damage to the national security.
Protected FOIA Information: Required Information, held by a governmental entity, that is subject to an exemption from disclosure under FOIA (5 U.S.C. §552(e)) or any similar state or local statutory provision which would be lost were the Required Information to be placed into the public domain. ◦ [NOTE: This definition should be interpreted to include
any Canadian or provincial provisions similar to FOIA.]
10© ReliabilityFirstCorporation
Region: The geographic boundaries of a Regional Entity.
Regional Entity: The organization that has compliance enforcement authority for the Critical Asset supported by the Covered Asset that is the subject of the TFE request.
Responsible Entity: A user, owner or operator of the Bulk Electric System that is registered in the Compliance Registry and is responsible for complying with an Applicable Requirement, as specified in the Applicability section of the CIP Standard.
11© ReliabilityFirstCorporation
Safeguards Information (SGI): Safeguards information is a special category of sensitive unclassified information authorized by Section 147 of the Atomic Energy Act to be protected. ◦ Safeguards information concerns the physical protection of
operating power reactors, spent fuel shipments, strategic special nuclear material, or other radioactive material.
Senior Manager: The person assigned by the Responsible Entity, in accordance with CIP Standard CIP-003-1 Requirement R2 (or subsequent versions), to have overall responsibility for leading and managing the Responsible Entity’s implementation of, and adherence to, the CIP Standards.
12© ReliabilityFirstCorporation
Strict Compliance: Compliance with the terms of an Applicable Requirement without reliance on a Technical Feasibility Exception
Technical Feasibility Exception or TFE: An exception from compliance with the terms of an Applicable Requirement on grounds of technical feasibility or technical limitations in accordance with one or more of the criteria defined within the TFE Basis for Approval
TFE Request: A request submitted by a Responsible Entity in accordance with the published Interim TFE process for an exception from Compliance with an Applicable Requirement
13© ReliabilityFirstCorporation
When Strict Compliance with an Applicable Requirement:
Is not technically feasible
Is not operationally feasible
Is precluded by technical limitations
Could adversely affect the reliability of the Bulk Electric System to an extent that outweighs the reliability benefits of Compliance with the Applicable Requirement
14© ReliabilityFirstCorporation
While technically and operationally feasible, cannot be achieved by the Compliance Date due to such factors as:◦ Scarce technical resources
◦ Limited availability of required equipment or components
◦ Need to construct, install, or modify equipment during planned outages
15© ReliabilityFirstCorporation
Would pose safety risks or issues that outweigh the reliability benefits of Strict Compliance
Would conflict with, or cause the Responsible Entity to be non-compliant with a separate statutory or regulatory requirement that cannot be waived
Would incur costs that exceed the benefits of Compliance
16© ReliabilityFirstCorporation
Responsible Entity is required to implement and maintain an alternate approach to achieving compliance through the use of compensating and/or mitigating measures
TFE will typically be approved for a limited duration◦ Normally requires expiration date
Compliance with applicable requirement is expected
◦ Open-ended TFE allowed under limited conditions if justified, with periodic review to perpetuate TFE
17© ReliabilityFirstCorporation
Separate submission for each TFE request◦ For each Applicable Requirement pertaining to each
Covered Asset.
Can group multiple, similar Covered Assets into one submission◦ Same or multiple locations
◦ Same basis for TFE
◦ Same compensating and mitigating measures
◦ Similar proposed Expiration Dates
18© ReliabilityFirstCorporation
Responsible Entity name
Contact information, including how NERC may arrange to view confidential information
Location of Covered Asset
Applicable Requirement
Narrative discussion and analysis of the basis for approval
Narrative discussion and analysis of compensating and mitigating measures, including how and to what extent the measures will reduce risk
19© ReliabilityFirstCorporation
List of confidential information to be reviewed onsite along with criteria to be an Eligible Reviewer
Proposed implementation and reporting schedule
Proposed plan and time schedule for terminating TFE and achieving Strict Compliance◦ Detailed steps and milestone schedule for achieving Strict
Compliance, or
◦ Specific research, design, analytical, testing, or other activities, with schedule, to determine a means to achieve Strict Compliance
20© ReliabilityFirstCorporation
Justification for requesting TFE with no expiration date
If Expiration Date is longer than one year, a proposed schedule for submitting reports to NERC on continuing need and justification for TFE◦ Reports must be submitted at least annually
Statement, signed by the Sr. Manager, acknowledging that the Sr. Manager has read and understands the TFE request and recommends approval
21© ReliabilityFirstCorporation
Preliminary Review to confirm all requirements of submission are satisfied◦ Unique identifier assigned
◦ If Submission is complete, NERC sends notice accepting TFE as complete
◦ If Submission is incomplete, NERC sends notice rejecting the TFE NERC shall indentify missing content. Responsible Entity may resubmit
22© ReliabilityFirstCorporation
Substantive Review for Approval/Disapproval◦ 60-day review period, can be extended
◦ If not approved, disapproved, or extended within review period, TFE automatically disapproved
◦ Notice of Approval or Disapproval (with option to appeal)
◦ NERC shall perform wide-area analysis collaborating with other Regional Entities and Responsible Entities
23© ReliabilityFirstCorporation
Reason for Disapproval stated in notice
NERC may state revisions to TFE that would result in approval of TFE Request if resubmitted◦ NERC not required to identify revisions
Requester has 30 days from time of notice to ◦ Resubmit TFE with NERC identified revisions, or ◦ Submit a mitigation plan to achieve Strict Compliance
Mitigation Plan processing shall follow CMEP
24© ReliabilityFirstCorporation
Findings of Violations and Imposition of Penalties will be deferred during TFE Review◦ Deferment starts with acceptance as complete◦ Deferment ends with notice of approval or
effective date of disapproval
Once TFE is approved, deferment continues as long as the TFE remains in effect and/or progress to Strict Compliance remains on schedule
25© ReliabilityFirstCorporation
Responsible Entity to submit timely periodic and other reports as specified in approved TFE request◦ Covers progress implementing
Compensating and/or mitigating measures Steps, research, analysis to achieve strict compliance
26© ReliabilityFirstCorporation
TFE can be revoked if progress milestones not met, mitigation not maintained, or reports not submitted◦ TFE amendment can be requested, if needed◦ No guarantee amendment will be accepted
NERC may initiate Revocation Investigation◦ Can revoke TFE prior to Expiration Date - may
become Alleged Violation◦ Can advance Expiration Date◦ Can impose additional requirements
27© ReliabilityFirstCorporation
Responsible Entity can amend a pending TFE Request at any time the TFE is under review by NERC◦ Provide additional information◦ Revise required information
Can resubmit the entire TFE as amended or only the portion being amended if easily separable
May result in extension of review period
28© ReliabilityFirstCorporation
Responsible Entity may submit amendment to approved TFE requesting revision to any TFE requirement. ◦ For example:
Revised compensating/mitigating measures Extension to implementation schedule Extension of Expiration Date
May submit entire TFE or only amended portions
29© ReliabilityFirstCorporation
Responsible Entity must include:◦ Narrative explanation of the amendment◦ Reason and purpose of the amendment◦ Reasons approved TFE requirements cannot be met
NERC will review for completeness and accept or reject the submission
If complete, NERC will perform substantive review to approve or disapprove
Approved TFE replaces previous TFE
30© ReliabilityFirstCorporation
Notice Required to NERC◦ At least 30 days prior to Expiration Date
◦ Signed and dated by Sr. Manager
◦ Asserts Responsible Entity has or will be able to achieve Strict Compliance by Expiration Date
Audit of Strict Compliance included in next Compliance Audit, even if not originally planned in the audit program
31© ReliabilityFirstCorporation
Hearing can be requested before the Compliance and Certification Committee (CCC)◦ Dispute rejection or disapproval of TFE request
◦ Dispute rejection or disapproval of proposed amendment
◦ Dispute Revocation Notice
Adverse final order of the CCC can be appealed to the Board of Trustees Compliance Committee (BOTCC)
32© ReliabilityFirstCorporation
“Interim Guidance” document◦ Background
◦ Approach
◦ Submittal Requirements
◦ Regional Activities
◦ TFE Disapproval
◦ TFE Compliance
33© ReliabilityFirstCorporation
Posted July 1, 2009 as guidance to REs and affected Responsible Entities for addressing TFEs pending the adoption of permanent program.
Interim process is required to address TFEs for requirements for which certain Responsible Entities reached the “C-Compliant” stage on July 1, 2009 per the CIP Implementation Plan.
34© ReliabilityFirstCorporation
Without formal TFE process, REs will need to address TFEs in context of CIP Audits, Investigations and Spot-Checks
Responsible Entities asserting TFE must provide documentary support for the assertion of the TFE.◦ Basic information and particulars of TFE
◦ Information justifying appropriateness of TFE
◦ Information concerning mitigating and compensating measures to be implemented with TFE to reduce risk to reliability of BES.
35© ReliabilityFirstCorporation
Responsible Entities should submit TFE through an appropriately secure means acceptable to RE◦ Secure Portal◦ Encrypted e-mail
Should be submitted prior to time the Responsible Entity receives notice of a CIP audit or spot-check, ideally at time Responsible Entity is in “C-Compliant” stage of implementation
36© ReliabilityFirstCorporation
REs to provide time for TFE submission to Responsible Entities that will reach “C-Compliant” stage for specific requirements OR that received CIP audit / spot-check notices prior to July 1, 2009
REs should receive TFE request at least 30 days prior to site visit of any audit or spot-check
37© ReliabilityFirstCorporation
Identification of Standard & Requirements for which the TFE is being asserted
Description of assets, critical assets, and critical cyber assets affected by TFE, including vendor documentation detailing specific limitation of relevant equipment
38© ReliabilityFirstCorporation
Explanation of why TFE is necessary
Documentation of date TFE was approved by Senior Manager or delegate(s)
Description of mitigating and compensating measures taken by Responsible Entity to address all risks to reliability of BES
39© ReliabilityFirstCorporation
If applicable, list of which other Regions the Responsible Entity is seeking TFE request
Time period for which TFE is to remain in place◦ Specify Effective date and Actual or Expected End date
Evidence that the TFE assertion is in fact required based on factors outlined in the proposed Appendix 4D to the RoP, in TFE Program Proposal◦ Refer to “TFE Basis for Approval” section of this
presentation
40© ReliabilityFirstCorporation
Documentation and evidence of implementation plan that achieves a comparable level of security to the requirement for which TFE is being claimed
Remediation plan and timeline for eliminating use of TFE or evidence that remediation by certain date is not feasible due to technical limitations or other just cause.
41© ReliabilityFirstCorporation
Auditors will consider the “Basis for Approval” factors and any evidence to determine whether compliance could be found based on TFE assertion◦ Mitigating and Compensating measures will be
evaluated
42© ReliabilityFirstCorporation
Auditors required to document Audit or Spot Check Reports that include (when applicable):◦ Whether Registered Entity asserted a TFE request
◦ Basis for accepting TFE as part of findings of compliance
◦ Basis for rejecting TFE as part of findings of possible violations “Contrary to current practice, any spot-check report
documenting one or more TFEs MUST be submitted to NERC”
43© ReliabilityFirstCorporation
If TFE rejected, Auditors to send notice of disapproval and reasons for disapproval◦ May suggest revisions that, if made, would lead to
approval
◦ Shall specify effective date
44© ReliabilityFirstCorporation
Revised TFE may be submitted during period from notice date to effective date◦ If re-submitted as specified, Auditors issue notice
of approval and consider TFE in findings
◦ If not re-submitted, case enters Enforcement space as possible violation
45© ReliabilityFirstCorporation
If Responsible Entity is found in Compliance based on TFE, finding will remain in effect until earlier of: ◦ Responsible Entity’s next audit;
◦ Subsequent compliance action identifies a failure to comply with mitigation, compensating or remediation plans submitted with TFE request;
◦ Effective date of formal program adopted to review and approve TFEs, at which time the Responsible Entity would be expected to formally submit TFE request through formal program
46© ReliabilityFirstCorporation
NERC and REs are closely collaborating to develop an efficient, secure and manageable permanent TFE program
“TFE Program Proposal” and “Interim Guidance” documents provide the framework for a permanent TFE program
“Interim Guidance” is official pending updates or the adoption of a permanent TFE Program
Latest Submission = Joint NERC and RE Proposal to Implement TFEs
47© ReliabilityFirstCorporation
Background
Applicability
TFE Requests and Responsibilities of Registered Entities
Procedures for Evaluation of a TFE Request (Regional Entities and NERC)
Regional Entities’ Roles and Responsibilities
NERC’s Roles and Responsibilities
48© ReliabilityFirstCorporation
Per Orders 706 & 706-A, NERC/REs defined these characteristics for the proposed TFE program:◦ Produce the information needed to review and approve
TFE Requests;
◦ Be straightforward and not unduly burdensome to NERC, REs and Responsible Entities;
◦ Maintain security of sensitive information per §1500 of NERC RoP;
◦ Leverage existing resources at NERC & REs;
◦ Minimize processing burden due to large volumes of TFEs
◦ Clearly define roles/responsibilities of NERC, REs and Responsible Entities
49© ReliabilityFirstCorporation
NERC will be responsible for oversight, implementation and consistency of TFE Program implementation, including oversight at the Regional Entity
NERC and REs shall:◦ Establish uniform processes & tools to receive,
catalogue and approve TFE requests Using existing NERC and Regional Entity Systems Ensuring CEII and other confidential information is
secure at all times per §1500 of NERC RoP
◦ Approve common templates and electronic forms
◦ Maintain list of requirements eligible for TFE Requests Including evaluation and proposal of class-type TFEs
applicable to broad classes of devices & equipment50© ReliabilityFirstCorporation
Requirements eligible for TFE Request:◦ CIP-005-1/R2.4◦ CIP-005-1/R2.6◦ CIP-005-1/R3.1◦ CIP-005-1/R3.2◦ CIP-006-1/R1.1◦ CIP-007-1/R2.3◦ CIP-007-1/R3.2◦ CIP-007-1/R4◦ CIP-007-1/R4.1◦ CIP-007-1/R5.3◦ CIP-007-1/R6.◦ CIP-007-1/R6.3.
NERC will revise this list as Reliability Standards are revised and approved by FERC.
Added based on recent discussions with FERC and the REs
51© ReliabilityFirstCorporation
Responsible Entity expected to prepare TFEs that:◦ Achieve goals of eligible requirement
◦ Mitigate any potential impacts to reliability of BES
◦ Provide for timely transition to Compliance w/o TFE
52© ReliabilityFirstCorporation
TFE Request - Submittal Process (Part A & Part B)◦ Part A:
Signifies notice to RE of a TFE Request
Submitted electronically via Form/Template through a secure portal or alternate format designated by RE
Documents detailed information for REs to determine if TFE should be accepted on interim basis
Documents data for NERC to develop wide-area Annual Report to FERC and for NERC’s oversight of TFE process
Shall be confidentially posted to a RE db and available for review by NERC and other REs to ensure consistency
Used by RE to implement electronic system for receiving and cataloguing TFE requests
53© ReliabilityFirstCorporation
TFE Request - Submittal Process (Part A & Part B)◦ Part B: Detailed information for determining if TFE
should be granted including: Documents, drawings & other information needed for details
and justification of TFE
Description of mitigating measures in use to meet the purpose of the Std/Requirement while TFE is in effect
◦ Available onsite for RE/NERC review during audit, spot-check or other compliance inquiry In special cases, RE can require all or portion of information
is filed with RE, provided this can be done securely with NO compromise of sensitive information
◦ Must be completed at same time as Part A.
54© ReliabilityFirstCorporation
Initial (Preliminary) TFE Review◦ Completed within 60 days of submittal◦ Upon completion, RE to notify Responsible
Entity: TFE accepted on interim basis TFE deficient but could be accepted with changes TFE denied with justification
If deficient, RE to provide instruction to make TFE acceptable◦ 30 days to resubmit minor correction◦ 60 days to resubmit major correction
55© ReliabilityFirstCorporation
Final (Substantive) TFE Review◦ Starts after Interim Acceptance and is completed
within 360 days of submittal
◦ Review verifies supporting documentation and that Responsible Entity is performing compensating measures to eliminate TFE
◦ Review will be at Entity site or via alternate means with adequate protection of sensitive data
◦ Review will conclude one of the following: Final Approval Conditional Approval subject to certain changes being
made in a specific timeframe Revocation
56© ReliabilityFirstCorporation
RE can request additional time to complete review (no more than 60 days)
RE to provide final report to NERC within (30) days after detailed review and closure
REs to manage Enforcement process, and as needed, the Hearing process when TFE not accepted OR when entity fails to implement outlined measures
Appeals of rejected TFEs to be addressed via normal Compliance process and hearings, if necessary
57© ReliabilityFirstCorporation
August, 2009◦ Joint Proposal to be finalized
◦ TFE Package to posted for public comment Joint Proposal New proposed Appendix 4D to the NERC RoP Part A Electronic Form with Instructions
58© ReliabilityFirstCorporation
September, 2009◦ Comments on TFE Package due
◦ Updated Interim Guidance to be posted
◦ Part A Form implemented to start accepting TFE Requests
◦ Development of permanent TFE Program to continue
◦ Revisions to NERC’s RoP, the CMEP and a new Appendix 4D to NERC’s RoP (based on Initial TFE Program Proposal)
To be filed with FERC for approval
59© ReliabilityFirstCorporation