Texas Data Transport Work Group Review RMS Meeting May 29, 2002

Agenda  TDTWG Goal  TDTWG History  TDTWG Plans  Review Existing System & Issues  Review ERCOT Phase 1 and 2 Solutions  Implementation Strategy  Frequently Asked Questions & Issues  Questions and Approvals

Texas Data Transport Work Group Our Goal is a Transport Standard for the Texas Market Participants that is optimal in:  Security  Reliability  Efficiency  Simplicity  Cost

Texas Data Transport Work Group History  September 2000 :  PUCT Work Group formed to develop data transport standard for point-to-point  ERCOT involvement delayed until after market opening  October 2000 :  Consensus reached by TDTWG to standardize on GISB EDM for point-to-point  PUCT approves recommendation of TDTWG  November – December 2000 :  Drafted strawman document, revised, and reviewed  January 2001  Completed document and reached approval consensus  February 2001  Began testing of GISB EDM  July 2001  Under RMS direction, TDTWG begins review of GISB EDM improvements and recommendations for ERCOT

Texas Data Transport Work Group History  September 25, 2001 :   “The group unanimously agreed to pursue the GISB EDM solution ‘with additional features’ …”  October 2001 :  TDTWG works with ERCOT to formulate plan to ultimately replace FTP  November 2001 :  ERCOT FTP Replacement plan approved by RMS  Includes NAESB / GISB EDM 1.6 with improvements  March 2002 :  NAESB EDM work group approves TDTWG/ERCOT proposed improvements for 1.6 inclusion  April 2002 :  ERCOT FTP Replacement phase 1 successfully tested  May 2002 :  ERCOT seeks funding approval from RMS on implementing NAESB / GISB EDM 1.6  TDTWG publishes FTP replacement document documenting and justifying advantages of FTP replacement plan

Texas Data Transport Work Group Plans Continue and complete work on:  “Best Practices” for transaction bundling, enveloping and transmission  Present working document to Texas SET  ERCOT Implementation Guideline for FTP Replacement Scripts – review for improvements and approve  TDTWG Implementation Guideline for NAESB/GISB EDM 1.6  Provide details of implementation to minimize costs of MP’s (e.g. OpenPGP – use of and encryption algorithm details)  Provide certification testing details to TTPT

ERCOT Encryption/Decryption Processing (B) Process Monitoring (D) FTP Mail (A) Translation/ Meter Data Enrollment Invoices ( C ) Current System Overview FTP GISB EDM Market Participant B FTP GISB EDM Market Participant A Market Participant C FTP

Issues with FTP Solution  Potential Security Risks  Sensitive Data passed in the clear  Vulnerable to sniffing by middleman  FTP server is vulnerable to attack  Lack of guaranteed delivery  Error prone file transmissions  Failures during MPUT/MGET operations can result in files being resent  Can result in “incomplete” file transmissions  No control over file naming conventions (duplicate names)  Not Firewall friendly

Issues with FTP Solution  Has Auditing “Blind spots”  No transport acknowledgement receipts  No transport message identifiers  Encryption key management and access controls  Two Systems Required for most MP’s:  GISB EDM (Point to Point)  FTP (ERCOT)  PGP is costly - ($10,000/server)

Market Participant Feedback  FTP process is unreliable and error prone  Some have suggested replacing FTP with GISB EDM v1.4, the solution currently used for point- to-point transaction data exchange

Issues with GISB EDM Solution  Security Risks (per Sandia report)  Usernames/Passwords passed in clear  same problem as FTP  Vulnerable to man in the middle attacks, sniffing  same problem as FTP  Vulnerable to replay attacks  same problem as FTP  Cost of PGP ($10,000/server)  Cost of GISB solution ($50,000+) can be prohibitive for small market participants  No payload identification for XML  Requires Internet accessible server 24x7  No support for mailboxing/pull (currently push only solution)

Ideal Solution  Highly reliable solution, like GISB EDM  High degree of security to protect all sensitive data and prevent hacker attacks  Scalable/high performance  Multi-platform support  Firewall friendly  Comprehensive logging, tracking and auditing  Minimal impact on Market participants (easy to implement/smooth migration)  Ability to track a transactions status throughout entire processing life cycle (transport through application processing)  Implement guaranteed delivery mechanism and eliminate potential for incomplete file transfers and duplicate file transmissions  Support for both Push and Pull models  Low cost for Market Participant  Implement-able ASAP in order to address security issues

Proposed Solution  GISB EDM with the following additional features:  Secure Sockets Layer (SSL)  Unique Message identifiers for tracking & security purposes  Support for XML  Support for Open PGP  TDTWG and ERCOT worked with GISB/NAESB to implement these additional features – now in EDM 1.6

ERCOT Encryption/Decryption Processing (B) Process Monitoring (D) HTTPS Mail (A) Translation/ Meter Data Enrollment Invoices ( C ) Phase 1 Solution - System Overview TDTWG GISB EDM (v1.4) HTTPS “PULL” Market Participant A Market Participant B TDTWG GISB EDM (v1.4) HTTPS “PULL” Market Participant C HTTPS “PULL”

ERCOT Encryption/Decryption Processing (B) Process Monitoring (D) “Enhanced” GISB EDM (A) Translation/ Meter Data Enrollment Invoices ( C ) Phase 2 Solution - System Overview Market Participant A TDTWG GISB EDM With Additional Features (v1.6) Market Participant B TDTWG GISB EDM With Additional Features (v1.6) Market Participant C HTTPS “PULL” HTTPS Mail

Timing  Phase 1 Solution - ERCOT HTTPS ERCOT HTTPS (FTP replacement) April 2002 – Certification Testing May 2002 – Production Implementation May 2002 – Production Implementation  Phase 2 Solution - NAESB/GISB EDM 1.6: NAESB/GISB EDM 1.6: Complete Migration Depends on Complete Migration Depends on ERCOT Implementation ERCOT Implementation & Vendors & Vendors 4Q 2002 Possible 4Q 2002 Possible

Frequently Asked Questions/Issues Is FTP security a true problem or just a potential problem? Yes – and we have had known occurrences Why not just implement the current GISB EDM 1.4 or 1.5 TDTWG solution at ERCOT? Both GISB EDM Versions 1.4 and 1.5 have security problems like FTP - as documented in the Sandia report on GISB EDM. In addition, GISB EDM would be a significant cost burden to the smaller MP’s (e.g. NOIE’s) so a low cost “pull” script is still a requirement for ERCOT Does an MP have to buy PGP now in order to communicate via FTP with ERCOT? Yes, and it is reported to be increasing in price from $10,000 per server to $10,000 per CPU.

Frequently Asked Questions/Issues What is being done about the PGP cost problem? Both the FTP replacement at ERCOT and the GISB EDM additional features (v1.6) will specify “OpenPGP” as the encryption standard. OpenPGP is open source software with free available downloads Is ERCOT or the TDTWG developing a competing standard to GISB EDM? No. ERCOT and TDTWG are actively working with GISB to make sure this does not occur and we have one standard. ERCOT proposed enhancements have been approved for NAESB/GISB EDM Is ERCOT competing with software vendors by distributing the FTP replacement? ERCOT has stated no. These are replacement scripts to the FTP scripts originally sent out by ERCOT/Accenture – equivalent to a version 2 release Will the FTP replacement scripts be a major improvement in security? Yes. ERCOT has stated that the same additional security features recommended by Sandia for GISB EDM are being implemented in the FTP replacement scripts.

Frequently Asked Questions/Issues Will ERCOT allow both the FTP and the FTP replacement (HTTPS “pull”) protocols during the March 2002 test flight? ERCOT/Rob Connell stated in Nov 27 con call that this was under serious consideration Will ERCOT allow MP’s to use FTP until the GISB EDM with additional features (v1.6) is available? As was explained in the Nov 27 con call, the exact availability of GISB EDM v1.6 cannot be accurately estimated. ERCOT/Rob Connell explained the importance of the security and reliability (guaranteed delivery and tracking) of the FTP replacement protocol which may mandate implementing the FTP replacement before GISB EDM v1.6 is available Is GISB being renamed to EISB? NO. At last report the new name effective 2002 will be North American Energy Standards Board. (NAESB)

Questions?