This 2019 Reliability Review Subcommittee Annual Assessment (2019 Annual Report) was developed by the SERC Reliability Review Subcommittee (RRS). This assessment was developed based on data and narrative information collected by SERC from its Registered Entities to independently assess the long-term reliability of the SERC BPS while identifying trends, emerging issues, and potential risks during the ten-year assessment period. The Reliability Review Subcommittee (RRS), at the direction of SERC’s Engineering Committee, supported the development of this assessment through a review process that leveraged the knowledge and experience of system planners, RRS members, SERC staff, and other subject matter experts. This review process ensures the accuracy and completeness of all data and information. The SERC Engineering Committee reviewed and approved this assessment.
SERC is committed to providing training and non-binding guidance to industry stakeholders regarding emerging and revised Reliability Standards. However, compliance depends on a number of factors including the precise language of the Standard, the specific facts and circumstances, and the quality of evidence.
8:00 a.m. Welcome SERC/Entergy Opening
Entergy and SERC Welcome and Kickoff
Introductions
SERC Entity Assistance Program Overview
Review Agenda and Objectives
Objectives
Share insights on CIP and O&P most violated standards in the ERO and examine analytics and trends specific to the Gulf Coast Region Review CIP “themes” for the SERC Region and recommendations for mitigating risks Understand SERC technical committees’ role in identifying and supporting risk mitigation
Review best practices in Vegetation Management for the Gulf Coast landscape
Provide guidance on System and Configuration Management
Identify issues, best practices, and emergency operations related to Cold Weather
8:15 a.m. Life Cycle of a Violation and Most Violated Standards in the ERO — Drew Slaubaugh
8:45 a.m.
Analytics and Trends (CIP and O&P)— Bill Peterson
9:30 a.m.
Break
9:45 a.m.
CIP Themes in the SERC Region— Todd Beam
10:30 a.m. SERC Committees and Reliability Risks— Gaurav Karandikar
11:00 a.m. Vegetation Management Best Practices— Serge Beauzile
11:30 a.m. System and Configuration Management— Matt Stryker
12:00 p.m. Lunch
1:00 p.m. Cold Weather/Emergency Operations— Charles Hall
1:45 p.m. Wrap-up/Discussion/Questions— Bill Peterson
2:00 p.m. Entergy Closes Session
Bill Peterson, MBA, CISM, CISSP
SERC Reliability Corporation Manager, Outreach and Training
Bill Peterson is the Manager, Outreach and Training with SERC Reliability Corpo- ration, a corporation responsible for promoting and improving the reliability, adequacy, and critical infrastructure protection of the bulk power system in all or portions of 16 Southeastern and Central states. Previously, Mr. Peterson was the Program Manager, Cyber Security in the Tech- nical Resources department and a Senior CIP Engineer in the Compliance group. Prior to joining SERC, he was a CIP Lead with Duke Energy working on various CIP projects, audit preparations, Mitigation Plans, Self-Reports, etc. Prior to that, Bill was a CIP Analyst and System Administrator with the New York Power Authority working on CIP audit preparations, system administration, network security, network operations, and IT project management. Mr. Peterson has a Master’s in Business Administration with a concentration on Information Technology Management from the State University of New York at Utica/Rome. Mr. Peterson has a Bachelor’s of Science degree with a dual major in Computer Engineering and Electrical Engineering Technology from the State University of New York at Utica/Rome. In addition, Bill is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and has a Leadership Certificate from Cornell University.
Drew Slabaugh
SERC Reliability Corporation Legal Counsel
Drew Slabaugh has been Legal Counsel with SERC Reliability Corporation for six years.
Previously, Mr. Slabaugh was a law clerk for Judge Robert Conrad of the United States District Court for the Western District of North Carolina. Prior to attending law school, he was a consumer lending banker with SunTrust bank.
Mr. Slabaugh has a Juris Doctor from Charlotte School of Law and a Bachelor of Arts degree with major in Political Science from the University of North Carolina at Chapel Hill.
Todd Beam
SERC Reliability Corporation Senior Lead Compliance Specialist
Todd Beam is the Senior Lead Compliance Specialist at SERC Reliability Corporation, a nonprofit corporation responsible for promoting and improving the reliability, adequacy, and critical infrastructure protection of the bulk power system in all or portions of 16 southeastern and central states. Todd works on the Entity Assessment and Mitigation team, which is responsible for conducting entity inherent risk assessments (IRA), inter- nal controls evaluations (ICE), and providing registered entities a single point of contact for all noncompliance issues. Prior to joining SERC in February 2012, Todd was employed by Duke Energy Corporation in Charlotte, NC for 25 years where he worked in a variety of roles. His most recent role was for four years as the CIP Com- pliance Project Manager for BA/TOP and TO with a focus on transmis- sion substations. Prior to that he spent seven years as the Supervisor of Routine Work and Outage Restoration and Management.
Gaurav Karandikar
SERC Reliability Corporation Manager, RAPA & Technical Services
Gaurav Karandikar is the Manager, Reliability Assessment, Performance Analy- sis, and Technical Services with SERC Reliability Corporation. Mr. Karandikar has been with SERC for more than four years.
The reliability assessment, performance analysis, and technical services group is responsible for providing value-added services to the SERC entities by engaging in a collaborative environment through various technical committees and their subgroups. Mr. Karandikar has over twenty years of industry experience with Siemens PTI, Ameren Services, and Alstom. Mr. Karandikar has a Master’s of Science in Elec- trical Engineering with a concentration in Power Systems from Missouri University of Science and Technology, Rolla, Missouri. Mr. Karandikar has a Bachelor of Science degree in Electrical Engineering from Malviya National Institute of Tech- nology, India. In addition, Bill is a senior member of IEEE and has a Leadership Certificate from Cornell University.
SERGE Beauzile, MS, PE
SERC Reliability Corporation Senior O&P Compliance Auditor
Serge joined SERC in July 2019 as a Senior Operations & Planning (O&P) Auditor. Previously, he worked at the Florida Reliability Coordinating Council (FRCC) Regional Entity as a Compliance Engineer since June 2017. He was a member of the FRCC O&P team that monitored and enforced compliance to NERC Relia- bility Standards and FRCC Regional Reliability Standards. Serge began his career in 1990 with the Long Island Lighting Company (LILCO) assuming several roles including, System Planning Engineer, Load Research Engineer, System Control and Protection Engineer and Supervisor of System Analysis. In 2005, he joined Lee County Electric Coop as a Design Engineer. In 2006, he joined Progress Energy Florida as a Transmission Planning Engineer and later became Manager of Grid Management. In 2009, he hired into Lakeland Electric as Substation Engineering Supervisor, and later became Manager of Substation Operations responsible for overseeing and directing all functions relating to engineering, construction, maintenance and operations of Lakeland Electric substations. Serge graduated from the Manhattan College with a Bachelor of Engineering in Electrical Engineering in 1990, and received a Master of Science in Electrical Engineering from New York University (Polytechnic) in 1997. He has been a member of IEEE since 1984, and is a licensed Professional Engineer in the State of New York and Florida
Matt Stryker
SERC Reliability Corporation Senior CIP Compliance Auditor
Matt joined the CIP Compliance audit team at SERC Reliability Corporation in January 2019. Previously, Matt Stryker was a Supervisor of CIP with Georgia System Operations Corporation (GSOC) in Tucker, Georgia. He worked in the Security Operations department on both physical and electronic security processes in support of Georgia Transmission (GTC) and GSOC’s compliance with the NERC CIP Reliability Standards. Mr. Stryker performed similar roles as a Group Lead of CIP for Georgia Transmission Corporation (GTC) since 2012. Previously, Mr. Stryker held positions as a Senior CIP Compliance Auditor and later as the Manager of CIP Compliance Monitoring at SERC Reliability Corpora- tion. He served as an Audit Team Lead or team member during audits of compli- ance with NERC Reliability Standards in the SERC Region.
Matt has more than 15 years of security experience in asset management, physi- cal security, network operations, and compliance. Matt holds the ASIS Physical Security Professional (PSP) and the ISC2 Certified Information Systems Security Professional (CISSP) certifications. Matt holds a Bachelor of Science degree in Management from Georgia Tech.
Charles E. Hall
Entergy Vice President, Power Plant Operations
Charles Hall was named vice president, power plant operations for Missis- sippi, in January of 2016. In this capacity, Hall oversees all aspects of operations for Entergy’s fleet of power generating plants owned by Enter- gy Mississippi, Inc. Hall began his career in 1981 at White Bluff Plant near Redfield, Arkan- sas, working over 10 years in plant operations. He worked at several generating plants in both operations and maintenance until 2014, progressing through numerous positions, including maintenance operator, mechanical maintenance and operations technician, supervisor and su- perintendent. In 2014, Hall was named power plant manager at Gerald Andrus Plant in Greenville, Mississippi. A native of Little Rock, Arkansas, Hall studied business administration at the University of Arkansas at Little Rock.
Lifecycle of a Violation
Drew Slaubaugh
Violation Processing – The Players
SERC - Enforcement
SERC - Management
Entity
SERC - RAM
NERC
FERC
Risk Assessment and Mitigation (RAM)
Phases:
Initial Discovery:
Triage:
RFIs: Cause Identification, Scope Assessment (EOC), Risk Assessment, Mitigation, Internal Controls
Initial Filing Determination
Filing Mechanisms
Compliance Exception (CE)
Find, Fix, Track and Report (FFT)
Spreadsheet Notice of Penalty (SNOP)
Full NOP
Enforcement
Review Factual Basis, Risk, Cause, and Mitigation
Determine final filing mechanism
Determine Penalty
Internal Approvals
Settlement
External Approvals
NERC
FERC
Most Violated Standards in the ERO
Minimal Risk
Moderate Risk
Serious Risk
Analytics and Trends
Bill Peterson
Introduction
What are the top 10 most violated NERC standards and requirement for my subregion?
What is the NERC CIP self-report ratio for my sub-region? What is the average?
What is the NERC O&P self-report ratio for my sub-region? What is the average?
Entity Outreach is focused on Coaching and Training.
CIP Themes
Todd Beam
Introduction
The main themes the Regions have identified are:
1. Development of organizational silos;
2. Disassociation between compliance and security;
3. Lack of awareness of an entity’s needs or deficiencies; and
4. Inadequate tools or ineffective use of tools.
Development of Organizational Silos
SILOS
Organizational silos result from a lack of internal coordination and uniformity between business units, departments, or layers from the top down.
Key Concepts
Vertical Silos:
Between Business Units or Departments
Horizontal Silos:
Between Layers from the Top Down
Bureaucratic Paralysis
Occurs as a result of too many unnecessary layers of review.
Disassociation between Compliance and Security
Disassociation results when the organization treats security and compliance as completely separate functions that serve separate purposes, resulting in a diminished value or emphasis on compliance.
Lack of Awareness
Lack of Awareness results when there is no understanding of how an entity’s systems work or how its compliance department is functioning and performing.
AWARENESS
Key Concepts
Causes of Lack of Awareness:
1. Lack of Vigilance 2. Insufficient Expertise 3. Lack of Engagement with the Regulator 4. Inadequate Root Cause Analysis
Ensuring Awareness
Quality Management
Focuses on objective evaluations of the quality of an organization’s activities to ensure the integrity of the activities.
Quality Management plans should include:
Independent checks
Staff participation
Mechanisms for raising quality
Inadequate Tools or Ineffective Use of Tools
TOOLS
Inadequate Tools or Ineffective Use of Tools is the result of not using tools that are necessary given an entity’s environment, improper configuration of tools, and overreliance on automated tools.
Key Concepts
Automation Risks?
Follow documented process to configure
Validate
configuration
Conduct periodic checks to ensure
automation is functioning as intended
SERC Committees and Reliability Risk
Gaurav Karandikar
Team Members
Melinda Montgomery - Sr. Director, Advanced Analytics & Technical Services Richard Becker - Program Manager, Engineering Dave Krueger – Program Manager, Operations Marty Sas - Senior Lead Engineer
Evan Shuvo – Senior Engineer RAPA Teresa Glaze – Sr. Technical Analyst
Technical Committees – Purpose
Working Groups
Reliability Program
Reliability Assessment
Performance Analysis
Situational Awareness
Event Analysis
Advanced Analytics
Reliability Risks
ERO 2019 Risk Categories Grid Transformation
Extreme Natural Events
Security Vulnerabilities
Critical Infrastructure Interdependency
What are the 2019 Top Reliability Risks to the SERC Region?
SERC Ranked Risk Elements Manage: Emerging risks where mitigation plans need to be developed & implemented Monitor: Risks that already have mitigation plans that have been implemented & that also may be ongoing.
Next Steps
Current Risk Process
Enhanced Future Process
Vegetation Management Best Practices
Serge Beauzile
Background
FAC-003-4
A Healthy TVM Program uses Internal Controls:
Document Control (R1-R7)
Work Trigger Document (R3)
Inspections (R6)
Quality Assurance (R6-R7)
Supplier Performance Management System (R7)
Operational Excellence
Operational Excellence
People:
Process:
Technology:
Is Documentation Enough?
• The best possible strategy or procedure is useless if it is not put into practice.
• Putting it into practice requires simplification because the forester in the field does not have the ability to perform a detailed analysis for each span
Compliance Approach
What Can We Do?
CIP-010-2 R1 System and Configuration Management
Matt Stryker
Part 1.1: Baseline
Part 1.2: Changes:
Part 1.3 & 1.4: Changes- Timeline and Controls
Part 1.5: Testing
Part 1.6 (p/o v3): Source verification
SERC Evidence Request Tool 3.1 Level 2
For each Cyber Asset in Sample Set SS-010-R1-L2-01:
CIP-010-R1.1-L2-01 : provide the baseline configuration for this Cyber Asset as of the dates in SS- DATE-04.
CIP-010-R1.2-L2-02 : for the range of dates in SS-DATE-04, provide evidence of the authorization and documentation of each change that deviated from the then-existing baseline configuration.
CIP-010-R1.3-L2-03 : for the range of dates in SS-DATE-04, provide the following evidence for each change that deviated from the then-existing baseline configuration: 1. The date of the change; and 2. The date the baseline was updated; and 3. Evidence that the baseline was updated to reflect the change.
CIP-010-R1.4-L2-04: for the range of dates in SS-DATE-04, provide the following evidence for each change that deviated from the then-existing baseline configuration: 1. Documentation of the determination of the required cyber security controls in CIP-005 and CIP-007 that could be impacted by the change; and 2. Documentation of the verification that required cyber security controls determined in CIP-010-2 R1 Part 1.4.1 were not adversely affected; and 3. Documentation of the results of the verification.
CIP-010-R1.5-L2-05: for the range of dates in SS-DATE-04, provide the following evidence for each change that deviated from the then-existing baseline configuration: 1. The date the change was implemented in a production environment. 2. Evidence that: a) The change was tested in a test environment, or b) The change was tested in a production environment, or c) An approved TFE covers this Cyber Asset. 3. If the change was tested, provide evidence of the date testing was performed. 4. If the change is tested in a production environment, provide evidence of how adverse impacts on the production system were minimized. 5. If the change was tested, provide evidence that the testing ensured that the required security controls from CIP-005 and CIP-007 were not adversely affected. 6. If the change was tested, provide evidence that the test results were documented. 7. If the change was tested in a test environment, provide: a) Evidence that the systems used for testing modeled the baseline configuration of the target production system. b) Evidence that the differences between the test and the production environments were documented, and c) Documentation of the measures used to account for any differences in operation between the test and production environments.
Cold Weather Preparedness
Charles Hall
Notes
SERC Reliability Corporation 3701 Arco Corporate Drive, Suite 300 Charlotte, NC 28273 704.357.7372 | Fax: 704.357.7914 www.serc1.org
September 10, 2019
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49Made with FlippingBook - Online magazine maker