Metric Challenges

Total Page:16

File Type:pdf, Size:1020Kb

Metric Challenges Metric Challenges Bheshaj Krishnappa Risk Analysis & Mitigation About RF ReliabilityFirst preserves and enhances bulk power system reliability and security across 13 states and the District of Columbia. The Boundaries of ReliabilityFirst include all of New Jersey, Delaware, Pennsylvania, Maryland, District of Columbia, West Virginia, Ohio, Indiana, Lower Michigan and portions of Upper Michigan, Wisconsin, Illinois, Kentucky, Tennessee and Virginia. 2 Forward Together • ReliabilityFirst Data sets and Metrics approach -1 NERC CIP and O&P standards • NERC Standards CIP-002 through CIP-014 covering areas of BES Cyber System Categorization, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security of BES Cyber Systems, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for BES Cyber Systems, Configuration Change Management and Vulnerability Assessments, Information Protection and Physical Security CIP standard violations (representative chart) 14 12 12 10 9 8 6 6 5 4 4 2 2 1 1 0 CIP-002 - Critical CIP-003 - CIP-004 - CIP-005 - CIP-006 - CIP-007 - CIP-008 - CIP-009 - Cyber Asset Security Personnel and Electronic Physical Security Systems Security Incident Recovery Plans Identification Management Training Security Management Reporting and for Critical Cyber Controls Perimeter(s) Response Assets Planning 3 Forward Together • ReliabilityFirst Data sets and Metrics approach -2 DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) • A maturity model to evaluate, prioritize, and improve cybersecurity capabilities. The areas assessed are Cybersecurity Program Management (CYBER), Asset, Change, and Configuration Management (ASSET), Information Sharing and Communications (SHARING), Identity and Access Management (ACCESS), Threat and Vulnerability Management (THREAT), Event and Incident Response, Continuity of Operations (RESPONSE), Risk Management (RISK), Situational Awareness (SITUATION), Workforce Management (WORKFORCE) 3000 Comparison chart of ES C2M2 domains in RFC region against all of NERC (representative chart) 2692 2611 2465 2465 2500 2378 2000 1685 1500 1309 RFC 1085 CIP CIP VIolations NERC 1000 686 657 591 550 550 515 500 333 344 275 162 0 Risk Management Identity and Access Situational Awareness Event and Incident Cybersecurity (RISK) Management (SITUATION) Response, Continuity Program (ACCESS) of Operations Management (RESPONSE) (CYBER) 4 Forward Together • ReliabilityFirst Challenges to Resilience metrics Point in time data • Compliance statistics ‒ Violation history based on audits ‒ Cyber assets and vulnerabilities Lack of Incident Response metrics • Dwell time, Containment time, Remediation time Lack of benchmark data for "Mean Time To Repair" or "Mean Time To Restore“ to measure resilience Lack of adoption of NIST CSF and availability of real-time data to assess Prevent, Detect, Respond, and Recover capabilities 5 Forward Together • ReliabilityFirst Resilience metrics - Opportunities Research on measurement of resilience indicators • Share existing methods of cyber resilience measurement/ approaches • Engage larger or targeted stakeholders to pilot projects and build upon Explore centralized data store and access • ICS CERT, Assets database, threats and vulnerability database, etc., Explore NIST Cybersecurity Framework / CERT Resilience Management Model to derive resilience metrics 6 Forward Together • ReliabilityFirst Questions & Answers Forward Together ReliabilityFirst 7 Forward Together • ReliabilityFirst .
Recommended publications
  • MATTERS Inside This Issue CEO MESSAGE
    AUGUST 2020 “The secret of change is to focus all your energy not on fighting the old, but on building the new.” -Socrates MIDWEST RELIABILITY MATTERS Inside This Issue CEO MESSAGE 3 CEO Message 6 Corporate Values 8 Compliance Monitoring and Enforcement Program 22 Registration, Certification and Standards 25 Bulk Power System Reliability 26 Tips and Lessons Learned 31 Security Corner 36 MRO Interviews the E-ISAC 43 Strategic Update 45 Industry News and Events Midwest Reliability Matters - August 2020 CEO MESSAGE Leading in Uncertain Times What it means to be fearless MRO has undoubtedly undergone a transformation over the past couple of years. We expanded our footprint and doubled the number of registered entities in our region, increased staff such that more than 50 percent have been with the company two years or less, and made several governance changes, including reworking our organizational group structure and increasing the size of our board (notably 14 of 23 directors joined in 2019 or 2020). On top of all of these changes, we (like many others in the industry) transitioned to fully remote work for much longer than anyone would have predicted as a result of the COVID-19 pandemic. All of these changes have happened in my short tenure as President and CEO. Late June marked my two year anniversary serving in this role, and as I reflect back on all that has happened during this time, I find myself wondering, “What does it mean to be a fearless leader?” In considering this question, I happened upon the website www.leadfearlessly.com, which describes fearless leaders as those that embrace change, influence and motivate others to become more fearless, to be open to change, and to grow and adapt.
    [Show full text]
  • 2014 Summer Reliability Assessment
    2014 Summer Reliability Assessment May 2014 NERC | Summer Reliability Assessment | 2013 i of 45 Preface NERC is an international regulatory authority established to evaluate and improve the reliability of the bulk power system (BPS) in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term (10- year) reliability; monitors the BPS through system awareness; and educates, trains, and certifies industry personnel. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada.1 NERC Reliability Standards are the planning and operating rules that electric utilities follow to support and maintain a reliable electric system. These standards are developed by industry using a balanced, open, fair, and inclusive process accredited by the American National Standards Institute (ANSI). While NERC does not have authority to set Reliability Standards for resource adequacy (e.g., reserve margin criteria) or to order the construction of resources or transmission, NERC can independently assess where reliability issues may arise and identify emerging risks. This information, along with NERC recommendations, is then available to policy makers and federal, state, and provincial regulators to support decision making within the electricity sector. NERC prepared the following assessment in accordance with the Energy Policy Act of 2005, in which the U.S. Congress directed NERC to conduct
    [Show full text]
  • United States of America Before the Federal Energy Regulatory Commission
    UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) North American Electric Reliability ) Docket No. RR20-__-__ Corporation ) JOINT PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION, MIDWEST RELIABILITY ORGANIZATION, NORTHEAST POWER COORDINATING COUNCIL, INC., RELIABILITYFIRST CORPORATION, SERC RELIABILITY CORPORATION, TEXAS RELIABILITY ENTITY, INC., AND WESTERN ELECTRICITY COORDINATING COUNCIL FOR APPROVAL OF THE REVISED PRO FORMA REGIONAL DELEGATION AGREEMENT AND THE REVISED INDIVIDUAL REGIONAL DELEGATION AGREEMENTS Lisa A. Zell Nina Jenkins Johnston Vice President General Counsel and Senior Counsel Candice Castaneda Corporate Secretary Counsel Midwest Reliability Organization North American Electric Reliability Corporation 380 St. Peter Street, Suite 800 1325 G Street, N.W., Suite 600 St. Paul, MN 55102 Washington, D.C. 20005 (651) 855-1745 (202) 400-3000 (651) 855-1712 – facsimile (202) 644-8099 – facsimile [email protected] [email protected] [email protected] Counsel for Midwest Reliability Organization Counsel for the North American Electric Reliability Corporation Kristin McKeown Kristen M. Senk General Counsel and Corporate Secretary Senior Managing Counsel, Legal and Enforcement Damase Hebert ReliabilityFirst Corporation Director of Enforcement and Compliance 3 Summit Park Drive, Suite 600 Attorney Cleveland, OH 44131 Northeast Power Coordinating Council, Inc. (216) 503-0669 (212) 840-1070 (216) 503-9207 – facsimile (212) 302-2782 [email protected] [email protected] [email protected] Counsel for ReliabilityFirst Corporation Counsel for the Northeast Power Coordinating Council, Inc. Holly A. Hawkins Derrick Davis Vice President, General Counsel & Corporate General Counsel & Corporate Secretary Secretary Texas Reliability Entity, Inc. Rebecca Poulsen 805 Las Cimas Parkway, Suite 200 Senior Legal Counsel Austin, TX 78746 3701 Arco Corporate Drive, Suite 300 (512) 583-4923 Charlotte, NC 28273 [email protected] [email protected] [email protected] Counsel for Texas Reliability Entity, Inc.
    [Show full text]
  • November 5, 2019 Via Electronic Mail Members of Reliabilityfirst Corporation NOTICE: ANNUAL MEETING of MEMBERS to BE HELD NOVEMB
    Robert V. Eckenrod Vice President, General Counsel & Corporate Secretary 3 Summit Park Drive, Suite 600 Cleveland, OH 44131 Direct Dial: (216) 503-0683 [email protected] November 5, 2019 Via Electronic Mail Members of ReliabilityFirst Corporation NOTICE: ANNUAL MEETING OF MEMBERS TO BE HELD NOVEMBER 21, 2019 To the Members of ReliabilityFirst Corporation: NOTICE IS HEREBY GIVEN that the Annual Meeting of Members of ReliabilityFirst Corporation (Annual Meeting) will be held at The St. Regis Washington, DC, 923 16th and K Streets, N.W., Washington, DC 20006, at 9:00 a.m. Eastern Time, on November 21, 2019. The purpose of the Annual Meeting is to elect At-Large and Independent Directors to hold office for the terms provided in the Bylaws or until their successors are elected and qualified. Information regarding voting and the nominees is set forth below. The Board of Directors has fixed the close of business on October 18, 2019 as the record date for determining the Regular Members entitled to notice of and to vote at the Annual Meeting. Proxies will be solicited and may be delivered to the Corporation by electronic transmission in accordance with ReliabilityFirst’s Bylaws, as more fully described herein. To be counted, all proxies must be received by ReliabilityFirst by the time of the Annual Meeting on November 21, 2019. IF YOU DO NOT EXPECT TO ATTEND THE ANNUAL MEETING, YOU ARE URGED TO RETURN THE ENCLOSED PROXY AS PROMPTLY AS POSSIBLE TO ENSURE YOUR REPRESENTATION AND THE PRESENCE OF A QUORUM AT THE ANNUAL MEETING. MEMBERS MAY VOTE BY MARKING, SIGNING, DATING AND RETURNING THE PROXY.
    [Show full text]
  • Southwest Power Pool, Inc. Docket No. PA08-2-000
    20090115-3088 FERC PDF (Unofficial) 01/15/2009 126 FERC ¶ 61,045 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff. Southwest Power Pool, Inc. Docket No. PA08 -2-000 ORDER APPROVING AUDIT REPORT , DETERMINING ISSUE O F SEPARATION OF FUNCTIONS, AND DIRECTING COMPLIANCE AND OTHER CORRECTIVE ACTIONS (Issued January 15, 2009) 1. In this orde r, the Commission approve s the attached Audit Report (Report) prepared by the Division of Audits in the Office of Enforcement (OE) , with the assistance of staff from the Office of Electric Reliability . The Report contains staff’s findings and recommendati ons with respect to Southwest Power Pool, Inc.’s (SPP ’s ) Regional Entity (RE) function. 1 The audit addresses SPP’s compliance with (1) the SPP , Inc. Bylaws, (2) the Delegation Agreement between the NERC and SPP , and the conditions included in the relevant Commission orders , and (3) other obligations and responsibilities directed by the Commission . 2. This audit was intended to enable the Commission to determine whether SPP’s governance structure creates a “very strong” separation between its RTO and RE fun ctions , as required by the Commission in Order No. 672 .2 In subsequent orders addressing the NERC -SPP Delegation Agreement , we reserved our determination on this 1 As an RE, SPP is responsible for enforcing the mandatory electric reliability standards of the North American Electric Reliability Corporation (NERC) that the Commission approved. SPP also operates as a Regional Transmission Organization (RTO). Southwest Power Pool, Inc.
    [Show full text]
  • MRM April 2021
    APRIL 2021 “Spring is proof that there is beauty in new beginnings.” -Matshona Dhliwayo MIDWEST RELIABILITY MATTERS Inside This Issue CEO MESSAGE 3 CEO Message 6 Compliance Monitoring and Enforcement Program 16 Registration, Certification and Standards 18 Bulk Power System Reliability 27 External and Regulatory Affairs 28 Security Corner 36 Strategic and Financial Update 38 Industry News and Events DISCLAIMER MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject Matter Experts (SMEs) from MRO’s organizational groups have authored some of the articles in this publication, and the views expressed in these articles are the SMEs and do not represent the opinions and views of MRO. Midwest Reliability Matters - April 2021 CEO MESSAGE Ushering in Spring The season of change and revitalization I recently read a poem by Laura Kelly Fanucci that resonates with me. It articulates the resilience we have collectively experienced over the past year and hope for what the future will bring. May we never again take for granted When this ends, A handshake with a stranger May we find Full shelves at the store That we have become Conversations with neighbors More like the people A crowded theater We wanted to be Friday night out We were called to be The taste of communion We hoped to be A routine checkup And may we stay A school rush each morning That way—better Coffee with a friend For each other The stadium roaring Because of the worst Each deep breath A boring Tuesday -Laura Kelly Fanucci Life itself. 3 CEO MESSAGE It’s hard to believe that more than a year ago we first responded to the global COVID-19 pandemic— prioritizing the health and safety of MRO staff and the continuity of operations—while at the same time providing regulatory relief to allow industry to do the same.
    [Show full text]
  • Joint Petition of NERC, MRO and RF for Approval of Registration
    UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability ) Docket No. RR18-__-000 Corporation ) JOINT PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION, MIDWEST RELIABILITY ORGANIZATION, AND RELIABILITYFIRST CORPORATION FOR APPROVAL OF REGISTRATION TRANSFER REQUEST OF WISCONSIN PUBLIC SERVICE CORPORATION AND UPPER MICHIGAN ENERGY RESOURCES Nina H. Jenkins-Johnston Senior Counsel North American Electric Reliability Corporation 3353 Peachtree Road, N.E. Suite 600, North Tower Atlanta, GA 30326 (404) 446-9650 [email protected] Counsel for the North American Electric Reliability Corporation Miggie E. Cramblit Vice President, General Counsel, Corporate Secretary and Director of External Affairs Midwest Reliability Organization 380 St. Peter Street Suite 800 Saint Paul, Minnesota 55102 (651) 855-1721 [email protected] Counsel for the Midwest Reliability Organization Jason Blake Vice President and General Counsel ReliabilityFirst Corporation 3 Summit Park Drive, Suite 600 Cleveland, Ohio 44131 (216) 503-0683 [email protected] Counsel for the ReliabilityFirst Corporation September 26, 2018 TABLE OF CONTENTS I. INTRODUCTION .................................................................................................................. 1 II. NOTICES AND COMMUNICATIONS ................................................................................ 2 III. RATIONALE AND PROCESS FOR TRANSFER OF WPSC AND UMERC FROM MRO TO RF ............................................................................................................................................
    [Show full text]
  • Reliability First, About Us, 2008
    About Us Page 1 of 1 Meetings | Careers | Contact Us | Site Map Home About Us Newsroom CIP Compliance Reliability Standards ERO Transition About Us About ReliabilityFirst z About Us Home ReliabilityFirst is a not-for-profit company incorporated in the State of Delaware, which began operations z Board of Directors on January 1, 2006. ReliabilityFirst's mission is to preserve and enhance electric service reliability and security for the interconnected electric systems within the ReliabilityFirst geographic area. z Membership z Our Location On July 20, 2006, the North American Electric Reliability Corporation (NERC) was certified as the Electric z Staff Contact Info Reliability Organization (ERO) in the United States, pursuant to Section 215 of the Federal Power Act of z Staff Organizational Chart 2005. Included in this certification was a provision for the ERO to delegate authority for the purpose of z Links proposing and enforcing reliability standards by entering into delegation agreements with regional entities. z Territory ReliabilityFirst is one of the eight approved Regional Entities in North America, under the North American z Policies and Committee Charters Electric Reliability Corporation (NERC). z 2009 Business Plan and Budget Headquartered in Fairlawn, Ohio, ReliabilityFirst's primary responsibilities include developing reliability z 2008 Business Plan and Budget standards and monitoring compliance to those reliability standards for all owners, operators and users of z 2007 Audit Report the bulk electric system and providing seasonal
    [Show full text]
  • Comments of NERC and the Regional Entities on NOPR
    UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability ) Docket No. RM21-12-000 Corporation ) COMMENTS OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION, MIDWEST RELIABILITY ORGANIZATION, NORTHEAST POWER COORDINATING COUNCIL, INC., RELIABILITYFIRST CORPORATION, SERC RELIABILITY CORPORATION, TEXAS RELIABILITY ENTITY, INC., AND WESTERN ELECTRICITY COORDINATING COUNCIL ON THE NOTICE OF PROPOSED RULEMAKING Candice Castaneda Counsel North American Electric Reliability Corporation 1325 G Street, N.W., Suite 600 Washington, D.C. 20005 (202) 400-3000 (202) 644-8099 – facsimile [email protected] Counsel for the North American Electric Reliability Corporation March 1, 2021 TABLE OF CONTENTS I. NOTICES AND COMMUNICATIONS ........................................................................................... 3 II. STATUTORY FRAMEWORK ......................................................................................................... 4 III. COMMENTS ....................................................................................................................................... 5 A. A five year Performance Assessment cycle allows NERC to better demonstrate evolution of the ERO Enterprise and recognizes extensive formal and informal coordination and oversight ... 7 B. Direction on material areas of focus could be beneficial if provided at least six months in advance of the Performance Assessment deadline ............................................................................
    [Show full text]
  • North American Electric Reliability Corporation RR16-6-000
    157 FERC ¶ 61,043 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Before Commissioners: Norman C. Bay, Chairman; Cheryl A. LaFleur, and Colette D. Honorable. North American Electric Reliability Corporation Docket No. RR16-6-000 ORDER ACCEPTING 2017 BUSINESS PLANS AND BUDGETS (Issued October 20, 2016) 1. On August 23, 2016, the North American Electric Reliability Corporation (NERC) filed 2017 business plans and budgets for NERC, each Regional Entity,1 and the Western Interconnection Regional Advisory Body (WIRAB) (collectively, NERC Application). For the reasons discussed below, we accept the 2017 business plans and budgets of NERC, the Regional Entities, and WIRAB, as well as the associated attachments and updates, and authorize issuance of billing invoices to fund the fiscal year 2017 operations of NERC, the Regional Entities, and WIRAB. I. Background A. Regulatory History 2. Section 215 of the Federal Power Act (FPA) requires the Commission to certify an Electric Reliability Organization (ERO) to develop mandatory and enforceable 1 The eight Regional Entities are Florida Reliability Coordinating Council (FRCC); Midwest Reliability Organization (MRO); Northeast Power Coordinating Council, Inc. (NPCC); ReliabilityFirst Corporation (ReliabilityFirst); SERC Reliability Corporation (SERC); Southwest Power Pool Regional Entity (SPP RE); Texas Reliability Entity (Texas RE); and Western Electricity Coordinating Council (WECC). Docket No. RR16-6-000 - 2 - Reliability Standards, subject to Commission review and approval.2 In July 2006, the Commission certified NERC as the ERO.3 3. Section 215(c)(2)(B) of the FPA provides that the ERO must have rules that “allocate equitably reasonable dues, fees, and other charges among end users for all activities under this section.”4 On February 3, 2006, the Commission issued Order No.
    [Show full text]
  • Final BAL-502-RF-03 Petition 9.7.17.Pdf
    UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability ) Docket No. _______ Corporation ) JOINT PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION AND RELIABILITYFIRST CORPORATION FOR APPROVAL OF PROPOSED REGIONAL RELIABILITY STANDARD BAL-502-RF-03 Jason Blake Shamai Elstein General Counsel Senior Counsel Megan Gambrel Marisa Hecht Senior Counsel Counsel ReliabilityFirst Corporation North American Electric Reliability Corporation 3 Summit Park Drive, Suite 600 1325 G Street, N.W., Suite 600 Cleveland, OH 44131 Washington, D.C. 20005 (216) 503-0600 (202) 400-3000 [email protected] [email protected] [email protected] [email protected] Counsel for the ReliabilityFirst Corporation Counsel for the North American Electric Reliability Corporation September 7, 2017 TABLE OF CONTENTS I. EXECUTIVE SUMMARY .................................................................................................... 2 II. NOTICES AND COMMUNICATIONS ................................................................................ 4 III. BACKGROUND .................................................................................................................... 4 A. Regulatory Framework ..................................................................................................... 4 B. ReliabilityFirst Regional Reliability Standards Development Procedure ........................ 6 C. FERC Directives Addressed by BAL-502-RF-03 ...........................................................
    [Show full text]
  • MRM August 2021
    AUGUST 2021 “The team with the best athletes doesn’t usually win. It’s the team with the athletes that play best together.” - Lisa Fernandez, U.S. Olympic Team Gold Medalist MIDWEST RELIABILITY MATTERS Inside This Issue CEO MESSAGE 3 CEO Message 6 Compliance Monitoring and Enforcement Program 14 External and Regulatory Affairs 16 Bulk Power System Reliability 24 Security Corner 29 Outreach and Engagement 32 Strategic Update 34 Diversity, Equity and Inclusion 36 Industry News and Events DISCLAIMER MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO. Midwest Reliability Matters - August 2021 CEO MESSAGE Stakeholder Outreach and Engagement The power of information sharing and collaboration The electricity sector is undergoing a significant and unprecedented transformation.The addition of variable energy resources, primarily wind and solar, and the retirement of conventional generation is fundamentally changing how the bulk power system is planned and operated. Such an extraordinary evolution presents new challenges—and opportunities—for reliability, resiliency, and security. The primary role of the ERO Enterprise, as captured in our mission statement, is to identify, prioritize and assure effective and efficient mitigation of risks to the reliability and security of the NorthAmerican bulk power system. The grid’s transformation and changing resource mix is just one of the top risks identified in NERC’s draft 2021 Reliability Risk Priorities Report.
    [Show full text]