1Keshav Sarin Manager, Compliance Risk Analysis Update on WECC’s Internal Controls EvaluationJune 3, 2014Salt Lake City, UT
2Agenda Overview of the Risk-Based Strategy Overview of WECC’s Internal Controls Evaluation ProcessUpdate on WECC’s Internal Controls PilotsUpdate on Inter-regional Activities
3Compliance Risk Analysis – Roles and Responsibilities Technical AnalysisSelf Reports/Self CertificationsMitigation Plans/ExtensionsCompletion of Mitigation PlansRisk Analysis - NewIdentify risks to reliability and complianceControls that address these risksMake recommendations to strengthen controls
4What could the risk based compliance strategy look like? Identify areas of interestElectricalCyber SecurityComplianceOther AreasEntity Risk AssessmentElectrical FootprintCompliance HistoryOther FactorsInternal Controls EvaluationControls that prevent non-complianceControls that detect non-complianceCustomize Compliance OversightCompliance Monitoring StrategyCompliance Enforcement Strategy
5Internal Controls Evaluation Process Determine ScopeDetermine areas that might cause risk to compliance and reliabilityCreate a list of questions related to preventative, detective, and corrective controls related to the standards in scopeIssue Survey to EntitySpreadsheet-based formatEntity describes design and implementation of the controls related to the standards in scopeOn site visitWECC reviews entity responseDetermine a list of controls that need further discussionMeeting with Entity’s senior leadership and Subject Matter ExpertsComplete EvaluationDetermine entity best practicesHighlight areas of improvementDetermine list of standards where entity has stronger controlsShare results with entityDetermine compliance oversight strategy
6Internal Controls Evaluation – Sample Questions Are the controls a result of a careful approach?What is the likelihood the control will reduce the likelihood of non-compliance?What is the likelihood the control will timely detect non-compliance?How well is the control implemented?
7Example of Controls for Managing Ports and Services (CIP R2)List of software installed on the cyber assets establishedVerify only ports and services with a valid business need are runningApply host based firewalls with a default-deny rulePerform automated port scans on a regular basis and alert any variancesCompare results of port scans with a verified baselineKeep all services up to date and remove and unnecessary components from the systemOperate critical services on separate host machinesPlace application firewalls to validate the traffic & alert any unauthorized traffic
8Example of Controls for Communications and Coordination (COM-002-2 R2) 3 part communication process is clearly establishedOperators trained regularly on 3 part communicationOperators use 3 part communication for all information exchange and not just directivesOperator consoles have a visual reminder to use 3 part communicationAll directives recorded on tapesShift supervisor regularly listens to the tapes to verify 3 part communicationFeedback to operators on improving 3 part communicationExample of Controls for Communications and Coordination (COM R2)
9Application of Internal Controls Results Application of Internal Controls EvaluationThe scope, frequency, and depth of audits may be alteredSelf Certification requirements may be reduced or focusedMitigation Plan requirements may be reduced or focusedViolation processing may be streamlinedCould be considered during settlementOther?
10Internal Controls Evaluation Pilots Completed second pilot evaluation last monthProvided best practices and recommendations to entityEntity provided helpful and positive feedback to WECCWECC audit team used the results of the controls evaluation to exclude certain requirements from audit scopeEntity selected for Compliance Exception Pilot
11Internal Controls Next Pilot Internal controls evaluation in progressIdentified risk areas related to CIP standardsIssued a controls questionnaire to entityReviewing entity’s responseWill draft recommendations and data requests to substantiate the findingsReceived suggestions from the entity to improve the process
12Internal Control Evaluation – Summary WECC has conducted 3 evaluations to dateWECC plans to conduct 5-6 total evaluations during 2014Process is evolving, but also built flexibly to adapt to final NERC/Regional RAI process
13Update on Inter-regional Activities Shared pilot results and process ideas with all Regions and NERC throughout 2013 and 2014Participated in inter-regional project teams to draft a single RAI approachNext StepsFinalize risk, scoping, and control evaluation processesTrain and deploy the new processes in 2015
14Next steps for registered entities? What controls do you have to ensure reliability and compliance?Are these controls preventative and detective?Is there an assigned owner for the control?Do you have evidence to show controls are implemented?FlowchartsNarrativeControl Matrix
15StandardControl DescriptionTypeOwnerEvidencePRC-005-1b R2,PRC R1XYZ Generation Station utilizes the functionality of PDQ Database which contains all Protection System devices, tracks, records and stores all protection system device maintenance and testing records in addition to all maintenance and testing procedures for all devices.XYZ utilizes all microprocessor based relays and the maximum interval identified for maintenance and testing is once every 8 years, this includes DC control circuitry, CTs and PTs.PDQ generates a work order the first day of each quarter for the quarterly inspection. If battery records have not been recorded by the end of month 2 during a given quarter a reminder is sent out weekly until PDQ has been updated.PreventativeSr. Plant EngineerProtection System Device test proceduresScreen shots of programmed testing intervalsPDQ screen shot of reminder noticesCIP R3The IT security department utilizes AAA software to track availability of all security patches for its Cyber Assets within ESP(s). The software checks vendor websites each week and automatically send patch availability notifications to a group of individuals and their supervisor. The software also has a built-in list of tasks that need to be completed when a patch is made available. These tasks serve as a check list that must be completed for each patch.On a monthly basis, a member of the IT security department conducts a random verification of all patches that were available during that month and verifies that patch assessment was completed per the established process.DetectiveIT Security AnalystAAA screenshotSample notificationList of tasks on the checklistRandom verification reportSupervisor approval
16Internal Control Evaluation – Summary This is a new and evolving processThe goal is to implement a risk-based approach to compliance oversightAllows WECC to use ICE results to customize compliance monitoring and enforcement processesProvides entities an assessment of strengths and weaknesses that could improve overall reliability