Welcome! NERC 2019 Compliance and Standards Workshop Embassy Suites - - PowerPoint PPT Presentation

RELI ABI LI TY | RESI LI ENCE | SECURI TY

Welcome!

NERC 2019 Compliance and Standards Workshop Embassy Suites by Hilton Minneapolis July 23, 2019

RELI ABI LI TY | RESI LI ENCE | SECURI TY 2

It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers, or any other activity that unreasonably restrains competition. NERC Antitrust Compliance Guidelines

RELI ABI LI TY | RESI LI ENCE | SECURI TY 3

Participants are reminded that this meeting is public. Notice of the meeting was posted on the NERC website and widely

• distributed. The notice included the number for dial-in
• participation. Participants should keep in mind that the

audience may include members of the press and representatives of various governmental authorities. Public Announcement

RELI ABI LI TY | RESI LI ENCE | SECURI TY 4

• Safety
• Fire exits
• Calling 911
• Alerting hotel staff
• CPR
• Other Logistics
• Q&A
• Restrooms

General Announcements

RELI ABI LI TY | RESI LI ENCE | SECURI TY 5

• 9:00 – 12:00 p.m.: NERC 101
• Howard Gugel
• Steve Noess
• 12:00 – 1:00 p.m.: Lunch
• 1:00 – 1:10 p.m.: Welcome and Introductions
• Chris Boyd-Witherspoon
• 1:10 – 1:30 p.m.: Keynote Remarks
• Sara Patrick
• 1:30 – 2:00 p.m.: Application of the ERO Enterprise’s Reliability

Toolkit

• Mark Lauby

Today’s Agenda

RELI ABI LI TY | RESI LI ENCE | SECURI TY 6

• 2:00 – 3:30 p.m.: Internal Controls
• Joseph Baugh
• Keith Smith
• 3:30 – 3:45 p.m.: Break
• 3:45 – 4:45 p.m.: Internal Controls Panel
• Ryan Mauldin
• Paolo D’Alessandro
• Kristen Long
• Thad Ness
• 4:45 – 5:00 p.m.: General Q&A | Closing Announcements
• Chris Boyd-Witherspoon
• 5:30 – 6:30 p.m.: Reception

Today’s Agenda

RELI ABI LI TY | RESI LI ENCE | SECURI TY 7

RELI ABI LI TY | RESI LI ENCE | SECURI TY

Keynote Remarks

Sara Patrick, President and CEO, MRO 2019 Compliance and Standards Workshop July 23, 2019

Welcome to Minnesota!

NERC Compliance and Standards Workshop

July 23, 2019

Whyte Ridge retention pond, Winnipeg, Manitoba Source: Winnipeg Free Press

White Bear Lake, Minnesota

A highly reliable and secure North American bulk power system.

RELI ABI LI TY | RESI LI ENCE | SECURI TY

Framework to Address Known and Emerging Reliability Risks

Mark Lauby, NERC, Senior Vice President and Chief Reliability Officer 2019 Compliance and Standards Workshop July 23, 2019

RELI ABI LI TY | RESI LI ENCE | SECURI TY 2

Bulk Power System Reliability and Security Bulk Power System Resilience* Bulk Electric System Reliability

Resilience is a Characteristic of a Reliable System

*Solely the Bulk

Power System. Does not include local distribution systems.

NERC Reliability Assurance

• Standards
• Compliance
• Enforcement
• Registration
• Certification

NERC Reliability Assessments and Performance Analysis

• Reliability Assessments
• System Analysis
• Events Analysis
• Performance Analysis
• Situational Awareness

Operator Training E-ISAC

RELI ABI LI TY | RESI LI ENCE | SECURI TY 3

Resilience I ndicators

R(t)

Tdisruption

RALR-Nadir

Trebound

R100%

Reliable

Trecovered

Disruptive Event

Reliability RTarget

Degradation Recovery Recovery State

Improved Deteriorated

Robustness

t

If Detectable, Pre-Position

Amplitude

Stable

RELI ABI LI TY | RESI LI ENCE | SECURI TY 4

Ensuring ALR

R(t)

Tdisruption

RALR-Nadir

Trebound

R100%

Reliable Disruptive Event

Reliable Operation

Avoid & control

(e.g. serve critical load)

Reliability RTarget Recovered Steady- State

If Detectable, Pre-Position

Trecovered

t

RELI ABI LI TY | RESI LI ENCE | SECURI TY 5

Declaration & Problem

• Declaration:

The Electric Reliability Organization (ERO) Enterprise requires a consistent framework to address and prioritize known and emerging reliability risks

• Problem Statement
• ERO Enterprise has continued to lead industry in reliability and security

initiatives to identify known and emerging risks and their mitigation

• The reliability toolkit for risk mitigation the ERO currently deploys includes,

for example: webinars and conferences, lessons learned, Alerts, Guidelines, and standard development.

• A framework is needed to that provides a transparent process using industry

and ERO Enterprise experts

• Framework must include: risk identification, deployment of mitigation

strategies, to monitoring the success of these mitigations

RELI ABI LI TY | RESI LI ENCE | SECURI TY 6

Six-Step Framework

• 1. Risk Identification
• 2. Risk Prioritization
• 3. Mitigation Identification and Evaluation
• 4. Mitigation Deployment
• 5. Measurement of Success
• 6. Monitor Residual Risk

RELI ABI LI TY | RESI LI ENCE | SECURI TY 7

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 8

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 9

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 10

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 11

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 12

Six-Step Framework

RELI ABI LI TY | RESI LI ENCE | SECURI TY 13

Guiding Principles

1.Reliability Standards address sustained risks with moderate impacts which are probable, and severe impacts which are probable or improbable. 2.Reliability Guidelines used to address sustained risks that are probable or

• improbable. Guidelines are also used for items not in the ERO Enterprise’s

jurisdiction, or are practices that improve reliability beyond standards. 3.Lessons Learned used for sustain risks or a one-and-done activities with moderate impacts and are both probable and improbable 4.Alerts will be used for time sensitive information, for information, to request action or direct action. 5.A combination of tools can be used towards gaining industry action, setting the stage for standards as well as addressing a risk while a Standard is being

• developed. Likelihood, pervasiveness, and severity have a bearing when a

Reliability Standard is required.

RELI ABI LI TY | RESI LI ENCE | SECURI TY 14

Risk Tools and Time Horizon

RELI ABI LI TY | RESI LI ENCE | SECURI TY 15

I llustrative Diagram

RELI ABI LI TY | RESI LI ENCE | SECURI TY 16

CIP-013-1 Supply Chain Risk Management: Audit Approach & Internal Controls

NERC Compliance & Standards Workshop Minneapolis MN July 23, 2019

• Dr. Joseph B. Baugh

Senior Compliance Auditor—Cyber Security

WECC SCRM Outreach Disclaimer

• This presentation discusses best practices for risk identification and

assessment, as well as common project management and procurement principles (see also NERC, 2017 April, Implementation Guidance, pp. 1–10)

• It may provide an entity with a basic road map to develop its CIP-013

SCRM program, risk identification and assessment methodology, processes, and procedures to support compliance with the Standard and enhance the reliability and security of the BES

• Information and suggestions supplied in this presentation should not be

considered a prescriptive solution that will guarantee compliance with CIP-013-1, as each entity has a unique blend of applicable BCS, vendors, products, and required services that may require a different approach

• Thus, one size does not fit all, as the devil is always in the details of any

specific plan

2

SCRM & Internal Controls

• What is an internal control relative to compliance?
• One or more processes that ensure an entity meets its objectives

and goals for operational effectiveness, efficiency, and accurate reporting to demonstrate compliance with the NERC Reliability Standards, Requirements, and/or Parts and addresses risks associated with the reliable operations of its business during the implementation of the Standards

• In order to develop a strong set of internal controls for CIP-

013-1, an entity must develop and document its R1- R3 SCRM plan(s), processes, and procedures

• A prudent entity will develop internal controls for ensuring

timely and accurate compliance and effective artifacts in conjunction with its documented CIP-013-1 plans and processes or shortly thereafter

3

SCRM Security Objective

• CIP-013-1 impacts the procurement of products

and services from vendors that are related to High and Medium BCS

• The SCRM security objective states, “To mitigate

cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.” (CIP-013-1, Purpose section, p. 1)

• CIP-013-1 audits will begin next year

4

Developing SCRM Plans & Internal Controls

• What should I consider or include when developing my

CIP-013-1 SCRM procurement plan?

• R1 procurement plan and processes
• Part R1.1
• Part 1.2 (Parts R1.2.1 – R1.2.6)
• CIP-005-6 (Parts 2.4, 2.5)
• CIP-010-3 (Part 1.6)
• R2 implementation aspects (i.e., How will I document each

applicable procurement implementation)

• R3 review and approval processes
• Develop internal controls to ensure timely and accurate

compliance and effective artifacts in conjunction with the CIP-013-1 plans and processes

5

Specific Vendor Risks

• The Standard establishes minimum expectations for six key

areas [R1.2.1 – R1.2.6] that require specific processes to address various components of vendor access and other risks to high and medium impact BCS through vendor products and/or services:

1. Notifications of vendor-identified incidents, 2. Coordination of responses to such incidents, 3. Notification of termination of remote or onsite access to BCS for vendor representatives, 4. Disclosure by vendors of known vulnerabilities, 5. Verification of software and patch integrity and authenticity, and 6. Coordination of controls for vendor-initiated IRA and system-to-system remote access.

6

CIP-013-1 R1

CIP-013-1 recognizes the risks posed by compromised BCS through vendor products and/or services and expressly requires applicable Responsible Entities to: “develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems. The plan(s) shall include” [see Parts R1.1 and R1.2]:

• How can I comply with R1?
• “Responsible entities should consider how to leverage the various

components and phases of their processes (e.g. defined requirements, request for proposal, bid evaluation, external vendor assessment tools and data, third party certifications and audit reports*, etc.) to help them meet the objective of Requirement R1 and give them flexibility to negotiate contracts with vendors to efficiently mitigate risks.”(NERC, 2017 April, SCRM Implementation Guidance: General Considerations, p. 1)

7

* Bold font indicates [emphasis added], where applicable, to draw attention to specific items

CIP-013-1 Part R1.1

One or more process(es) used in planning for the procurement

• f BES Cyber Systems to identify and assess cyber

security risk(s) to the Bulk Electric System from vendor products or services resulting from:

i. procuring and installing vendor equipment and software; and ii. transitions from one vendor(s) to another vendor(s).

• What does “identify and assess” mean in terms of developing

and documenting the R1 SCRM plan?

• Should an entity mitigate identified cyber security risks?
• Yes, remember the CIP-013-1 Security Objective, “To mitigate cyber

security risks…” (p. 1), which is reinforced by the note in the Requirement 1: Rationale section, “The security objective is to ensure entities consider … options for mitigating these risks (Part 1.1, p. 11)

8

CIP-013-1 Part R1.2

One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable:

• Do I really need to include specific processes

and/or procedures for each of the six R1.2 Parts in my SCRM procurement plan?

• What does “as applicable” mean in terms of

my R1 plan and R2 implementation?

9

CIP-013-1 Part R1.2.1

Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

• How can an entity encourage vendors to

provide such notifications?

• What would a prudent entity do to mitigate

identified risks?

10

CIP-013-1 Part R1.2.2

Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

• How can an entity establish this coordination
• f responses for such incidents?
• What would a prudent entity do if and when

notified of vendor-identified, SCRM-related incidents?

11

CIP-013-1 Part R1.2.3

Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;

• How can an entity encourage vendors to

provide such notifications?

• What would a prudent entity do upon such

access notifications?

12

CIP-013-1 Part R1.2.4

Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;

• How can an entity encourage vendors to

provide such disclosures?

• How would a prudent entity mitigate the risks
• f such vulnerabilities?

13

CIP-013-1 Part R1.2.5

Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and

• How can an entity verify the software integrity

and authenticity of software and patches provided by vendors?

• What would a prudent entity do once the

integrity and authenticity of a software update

• r patch is verified?

14

CIP-013-1 Part R1.2.6

Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to- system remote access with a vendor(s).

• How would a prudent entity establish

coordination of controls for remote access?

15

Documenting Parts 1.2.1-1.2.6

• How can an entity document compliance with

Parts 1.2.1 through 1.2.6:

• In its R1 procurement plan?
• For each applicable R2 implementation?

16

Don’t Forget CIP-005 & CIP-010

• A prudent entity will prepare for compliance

with CIP-005-6 Part 2.4 and Part 2.5, as well as CIP-010-3 Part 1.6, on or before the effective date (July 1, 2020)

• These components will be audited by the CIP-

005 and CIP-010 audit teams, as applicable

17

Auditing CIP-013-1 R1

• What R1 evidence will the CIP-013 audit team

expect?

• What R1 internal controls would a prudent entity

develop?

18

Implementing the SCRM Plan (R2)

Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1.

• What R2 evidence demonstrating an

implementation of the SCRM plan will the CIP-013 audit team expect for each applicable procurement after the effective date?

• Archive SCRM evidence on a case-by-case basis
• What R2 internal controls would a prudent entity

develop?

19

Approving the SCRM Plan (R3)

Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan(s) specified in Requirement R1 at least

• nce every 15 calendar months.
• Initial review and approval is due on or before July 1,

2020 (NERC, 2017 July, Implementation Plan: Initial Performance section, p. 3)

• No more than 15 calendar months apart thereafter
• What R3 evidence will the CIP-013 audit team expect?
• What R3 internal controls would a prudent entity develop?

20

Looking Ahead to CIP-013-2

• Review the 2019 NERC Staff Report on SCRM
• Addresses FERC’s directive to “develop modifications to include EACMS

associated with medium and high BES Cyber Systems” (FERC, Order 850,

• para. 5, p. 54994) within 24 months of the effective date of Order 850
• Also addresses FERC concerns relative to the SCRM impacts of

PACS, PCA, and LIBCS

• Provides insight into various industry white papers (NERC, Supply

Chain Risk Mitigation Program)

• Expect additional SCRM compliance obligations for EACMS

associated with high and medium impact BCS, with more to come later on from FERC, NERC, and the SDT

• The SCWG is developing SCRM procurement documents,

which may be rolled into CIP-013-2 Requirements or into future implementation guidance documents

21

ERO References

• FERC. (2018 October 26). Order No. 850: CIP-013-1—Supply Chain Risk

Management Reliability Standard Final Rule. 165 FERC ¶ 61, 020, 18 CFR Part 40, Docket No. RM17-13-000. In Federal Register, 83(208), pp. 53992-54005. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2018-10-26/pdf/2018-23201.pdf

• NERC. (2019 February 9). Cybersecurity Supply Chain Risks: Staff Report and

Recommended Actions [Draft]. In MRC Agenda Item 9, pp. 4-43. Retrieved from https://www.rtoinsider.com/wp-content/uploads/Draft-NERC-Supply-Chain- Report-2-6-19.pdf

• NERC. (2018 October 18). CIP-013-1 – Cyber Security - Supply Chain Risk

Management [Reliability Standard]. Retrieved from https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf

• NERC. (n. d.) Supply Chain Risk Mitigation Program [Links to Industry White

Papers]. Retrieved from https://www.nerc.com/pa/comp/Pages/Supply-Chain- Risk-Mitigation-Program.aspx

22

Industry References

• Executive Order 13873. (2019 May 17). Securing the Information and Communications Technology

and Services Supply Chain. In Federal Register, 84(96), pp. 22689-22692. Retrieved from https://www.govinfo.gov/content/pkg/FR-2019-05-17/pdf/2019-10538.pdf

• Executive Order 13636. (2013 February 19). Improving Critical Infrastructure Cybersecurity. In

Federal Register, 78(33), pp. 11739-11744. Retrieved from https://www.federalregister.gov/documents/2013/02/19/2013-03915/improving-critical- infrastructure-cybersecurity

• NATF. (2017 November 6). Software Integrity & Authenticity Implementation Guidance for

CIP-010-3 R1 Requirement Part 1.6 [ERO Approved Guidance Document]. Retrieved from https://www.nerc.com/pa/comp/guidance/EROEndorsedImplementationGuidance/ CIP-010-3%20R1.6%20Software%20Integrity%20and%20Authenticity.pdf

24

Other References

• Department of Homeland Security [DHS-CISA]. (2019 May 20) Unmanned Aircraft

Systems (UAS) - Critical Infrastructure. Retrieved from https://www.dhs.gov/cisa/uas-critical-infrastructure

• Network Security. (2018 August). Russian Hackers Breach US Electricity Network.

Elsevier Press. ISSN 1353-4858 (pp. 1-3). Retrieved from https://www.sciencedirect.com/science/article/pii/S1353485818300722?via%3Dihub

• Smith, R. (2018 July 23). Russian Hackers Reach U.S. Utility Control Rooms. The Wall

Street Journal [Online]. Retrieved from https://www.wsj.com/articles/russian- hackers-reach-u-s-utility-control-rooms-homeland-security-officials- say-1532388110

• Smith, R., & Barry, R. (2019 January 10). America’s Electric Grid Has a Vulnerable Back

Door—and Russia Walked Through It. The Wall Street Journal [Online]. Retrieved from https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back- doorand-russia-walked-through-it-11547137112

25

Audit Approach & IC Summary

• Approach CIP-013-1 compliance as a project with well-defined tasks,

timelines, and processes designed to:

• Develop and document the R1 SCRM procurement plan
• Develop an R2 implementation plan for the R1 SCRM plan
• Approve the initial R1 SCRM plan on or before July 1, 2020
• Ensure the R1 SCRM procurement plan is reviewed, updated, and approved at

least once every 15 calendar months thereafter

• Maintain R1-R3 audit evidence relative to new procurement of all

vendor products and/or services obtained for High and Medium BCS after July 1, 2020

• Develop CIP-013-1 R1-R3 internal controls concurrently with SCRM

procurement plans, processes and procedures

• Be proactive and monitor for future changes in CIP-013-2
• Time permitting, are there any other questions?

26

Contact:

• Dr. Joseph B. Baugh

Senior Compliance Auditor—Cyber Security jbaugh@wecc.org

27

Keith Smith Manager, O& P Compliance Monitoring

Facility Rating Internal Controls

Meeting Title Date

2

Objectives

• Establish Facility Ratings that respect the most limiting

applicable Equipment Rating of the individual equipment that comprises that Facility

• Consideration of all applicable equipment
• Accurate Equipment Ratings
• Ensure established Facility Ratings are consistently utilized
• Protection
• Analysis
• Monitoring

3

Internal Controls

Internal controls are the processes and tools an entity utilizes to meet the identified objectives All entities will have some level of internal controls in place Internal control expectations dependent on inherent risk of entity

4

Internal Controls

Methodology Inventory Verification Change Management

5

Facility Rating Methodology

FAC-008 requires registered entities to have a methodology and/or documentation that includes the method, assumptions, and process for determining Facility Ratings

6

Facility Rating Methodology Example #1

• Low Bar Power Company has a methodology addressing each

item required by the Standard at a high level.

7

Facility Rating Methodology Example #2

• Max Reliability Power Company has a detailed methodology

that address each item in the Standard and includes:

• Annual reviews
• Roles and responsibilities
• Identification of tools
• Step-by-step work instructions

8

Inventory

Inventory tracking of Facility Ratings, the equipment that comprises each Facility, and all Equipment Ratings is necessary for:

• Establishing Facility Ratings
• Evaluating change impacts
• Verifying Facility Ratings

9

Inventory Example #1

• Low Bar Power Company maintains a spreadsheet that

identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities

10

Inventory Example #2

• Max Reliability Power Company maintains a database that

identifies the series equipment, Equipment Ratings, and Facility Rating for its Facilities, and includes:

• Equipment Rating documentation
• Flagging when Equipment Rating changes impact Facility Ratings
• Identification of Facilities with unique characteristics
• Required fields dependent on characteristics of Facilities
• Automated notification for Facility Rating changes

11

Verification

Verification of Facility Ratings is a detective control to help ensure Facility Ratings respect the most limiting applicable Equipment Rating of the individual equipment that comprises that Facility.

12

Verification Example #1

• Low Bar Power Company states that it verified its Facility

Ratings using as-built one-line diagrams at the time it established its Facility Ratings

13

Verification Example #2

• Max Reliability Power Company performs annual field

inspections of a percentage of its Facilities to ensure all applicable equipment has been considered in Facility Ratings documentation and Equipment Ratings are accurate.

• Anomalies evaluated for applicability to other Facilities
• Identified Facilities prioritized for future field inspections

14

Change Management Change management processes are necessary to ensure:

• Equipment Rating changes are

evaluated to identify impacts to Facility Ratings

• Facility Rating changes are

evaluated to identify impacts to protection, analysis, and monitoring

• f the Bulk Electric System

15

Change Management Example

Facility Ratings

TOP- 003-3 TOP- 001-4 TOP- 002-4 TPL- 001-4 IRO- 010-2

MOD- 032-1

PRC- 023-4

16

Change Management Example #1

• Low Bar Power Company has no documented change

management processes but states:

• Its personnel will know to review Facility Ratings if equipment changes
• ccur
• Appropriate personnel should receive an email when Facility Ratings

change

17

Change Management Example #2

• Max Reliability Power Company has robust documented

change management processes for equipment changes that include:

• Evaluation of changes by subject matter experts
• Required change approvals prior to changes being implemented
• Notification to update inventory after changes implemented
• Confirmation that changes implemented as planned

18

Change Management Example #2

• Max Reliability Power Company has robust documented

change management processes for Facility Rating changes that include:

• Automated notification of Facility Rating changes
• Protection Engineering
• System Planning
• System Operations
• Operations Support
• Checklist to verify appropriate follow-up action(s) taken
• Periodic comparisons with internal and external models

19

Questions?

Meeting Title Date

RELI ABI LI TY | RESI LI ENCE | SECURI TY

Break

Webinar participants: We will return at 3:45 p.m. Central

Safety First and Always

NERC 2019 Compliance & Standards Workshop Eversource Energy Service Company

July 23 – 24th , 2019 Minneapolis, MN 55402

Paolo D’ D’Alessandro, J JD Senio ior S Specia ialist Relia iabil ilit ity C Compliance

Safety First and Always

Eversource Energy: Service Territories

• Eversource provides electric service in CT,

MA, and NH states through the following regulated subsidiaries (all doing business as Eversource Energy):

– Connecticut Light & Power with over

1,270,000 electric customers

– NSTAR Electric, including former Western

Massachusetts Electric Company with 1,380,000 electric customers

– Public Service of New Hampshire with

528,000 electric customers

• Eversource Energy Service Company provides

certain functions, such as transmission

• perations and transmission planning.
• Eversource provides gas distribution through

Yankee Gas Services Company and NSTAR Gas, delivering natural gas to approximately 524,000 customers.

• Eversource serves nearly 230,000 water

customers through Aquarion Water Company.

• Eversource has approx. 8,000 employees.

ISO-NE NSTAR CONVEX ESCC 2

Safety First and Always

Eversource Energy: One Registered Entity

• Effective January 1, 2018, Eversource Energy Service Company (NCR07176) registration was

consolidated with:

• Connecticut Light and Power (NCR07044)
• NSTAR Electric Company (NCR7180)
• Public Service of New Hampshire (NCR07203)
• Western Massachusetts Electric (NCR07232)
• Benefits of registration consolidation include the following:
• Supports efforts for consistency and best practice across 3 states
• Efficiency through consolidation of external audits
• In January 2018, PSNH completed the sale of its fossil fuel and generation units, therefore

Eversource is no longer a GO or GOP

• As of January 2018, Eversource Energy’s functional registration is now:

D i s t r i b u t i

• n

P r

• v

i d e r T r a n s m i s s i

• n

O w n e r T r a n s m i s s i

• n

O p e r a t

• r

T r a n s m i s s i

• n

P l a n n e r T r a n s m i s s i

• n

S e r v i c e P r

• v

i d e r

DP TO TOP TP TSP

Eversource Energy Service Company NCR07176

X X X X X

Safety First and Always

A Strong Compliance Culture

• Continued efforts to consolidate three state organizations for consistency and identification
• f best practices, tools and controls.
• Strong senior management commitment. Executives are regularly engaged in supporting

compliance related activities.

• Dedicated departments to focus on compliance (Reliability Compliance, Operational

Compliance and Internal Audit).

• Work activities foster a systematic approach to operational excellence and compliance.
• Reportability Determinations / Root Cause Analysis
• Self Assessments > Lessons Learned > Roadshow Presentations
• Internal Audits
• Events Analysis
• Training (i.e. CIP annual training)
• Eversource SMEs lead on embedding compliance within their respective functional teams.

SME responsibilities primarily effect the following enterprise level groups:

Safety First and Always

Organization: Dedicated Committees & Departments to Ensure Compliance

Comm mmittees es Compliance and Ethics Committee Reliability Steering Committee - Quarterly Compliance Work Plan (CWP) - Monthly Departments Reliability Compliance / Operational Compliance Internal Audit Enterprise Risk Management

Safety First and Always

Examples of internal controls that support NERC compliance at an enterprise-wide level consist of the following:

Eversource - Enterprise-Wide Controls

Relia iabil ilit ity C Compliance Department Oversee and assist the business in ensuring compliance with all applicable Reliability Standards & Requirements Co Compl pliance a and nd E Ethics Com

• mmi

mittee Executive level committee that oversees all compliance activity within the organization Int nternal A Aud udit Independently conducts periodic audits of compliance activities, including NERC Reliability Standards Enterprise R Risk Man anagem agement Framework and process that enables enterprise wide view of business risks and how they are appropriately managed and mitigated Co Compl pliance Work Plan n Monthly meetings to brief leadership on compliance activity including (1) KPI’s (2) standards development & implementation (3) review of compliance activity (4) emerging issues CAT ATSWeb Database system used to track and ensure completion of gap analysis and action plans for applicable NERC Standards and NPCC Directories

Safety First and Always

Ensure New Technologies are Secure (IT & OT)

• Privilege Access Mgmt.
• Application testing
• Penetration testing
• Mobile device security

Ensure Cloud Technologies are Secure

• 3rd party reviews
• Identity & Access Mgmt.
• End Point Security
• Application isolation

Eversource Cyber Strategy

Ensure Strong Cyber Hygiene Policies, Vulnerability Management, Anti-malware technology, Security Monitoring, Security Awareness, Incident Response, Encryption, Secure Architecture Secure Legacy Systems Technologies that isolate or protect vulnerable systems from being exploited

Risk Based, Defense In Depth strategy that evolves based on the business and industry trends

Ensure OT/SCADA Systems are Secure Device authentication Device and network monitoring Strict external/remote access protocols

Safety First and Always

Eversource O&P/CIP ICE Lessons Learned

In 2018, Eversource participated in both an O&P and CIP ICE

• exercise. Positive feedback was received from SMEs and Senior

Management on the following:

• While resource intensive, the benefit of having a full review of

internal controls, enhancement to existing controls and the reduction in audit scope outweighed the impact to the line.

• Flowcharts were useful to demonstrate internal controls (detective,

preventative) that support ongoing compliance.

• If an entity decides to participate, don’t underestimate the time

needed to work with SMEs to review controls, complete the ICE Template and create flowcharts.

Safety First and Always

FAC-003-4 Flowchart

Safety First and Always

TOP-002-4 Flowchart

Safety First and Always

MOD-032-1 Flowchart

Safety First and Always

CIP-011-2 Flowchart

Safety First and Always

Questions?

C r e a t i n g s u s t a i n a b l e v a l u e f o r a l l

Control Development

Kristen Long, Sr. Analyst

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 2

NERC CONTROLS DEVELOPMENT OVERVIEW

Gather existing information

• NERC standard
• Current RSAW
• Policies and

procedures

• Enforcement

history

• Existing controls
• Etc.

Kickoff meeting with BU

• Outline the process
• Create schedule
• Define deliverables

Development meetings

• Review the

standard

• Determine the need

for a process map

• Review and

updated existing controls

• Develop new

controls and tests to address risks

Approval

• Control owners
• NERC Compliance

SMEs

• NERC Compliance

management

Upload to GRC Tool

Purpose: NERC Compliance will lead a complete review of existing controls and work with the Business Units to develop new controls utilizing the appropriate control type (detective, corrective, preventative) to address compliance, reliability, security, financial, and/or operational risks, and document the updated controls in Archer

DRAFT

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 3

Control Development

End Goal – develop rigorous preventative controls and tests for NERC reliability standards applicable to Entergy Priority – start with CMEP standards, focus on CMEP requirements with Med/High VRF (2019) Approach – tailored to the individual standard:

• CMEP med/high requirements vs entire standard
• Complete process mapping where applicable
• Consider all risks – compliance, reliability, security, etc.
• Control & Testing rigor based on violation risk factor VRF and enforcement history
• Partner with Projects SME and BU SMEs
• RSAW updates – where applicable

Archer – NERC Compliance

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 4

All controls address some type of risk: compliance (RSAW measures), reliability (relay settings being in sync, preventing cascading outages), security (unauthorized physical or cyber intrusion), financial, operational. Items that could affect risk:

• Monitoring objectives
• Inherent risk (CMEP)
• Known or potential internal deficiencies (e.g., inexperience of owners/testers,

complicated manual process, etc.), and

• Previous enforcement history

Risk Drives Robustness of Internal Controls

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 5

Approach to Control & Test Deployment

• Requires a balancing of considerations

Control & Test Balancing

No Violations Established Process

Less persuasive evidence/ documentation, fewer controls & tests More persuasive evidence/ documentation, increased controls & tests

= =

Lower Risk Higher Risk

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 6

• Create Process Map – process map is a visual depiction of the high

level process. It should include the following information:

• Flowchart style picture of process(es)
• Implementing Procedures/Policies
• Critical steps
• Area responsibilities
• Known Risks
• Procedure steps
• Link to requirements

How do I start?

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 7

FOR ILLUSTRATIVE PURPOSES ONLY

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 8

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 9

• Is the control, to the largest extent possible, automated?
• Are compensating and supporting internal controls needed?
• Is the level of documentation available for the control sufficient?
• Are any controls necessary to meet the objective missing?
• Even if the control operates as designed, will it fail to meet the objective? (if

so = improperly designed)

.

Additional Considerations

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 10

Quiz

a) A control captured in the GRC tool that automatically kicks off, annually, directing a specific employee perform a required compliance action 1 month ahead of the deadline. b) A yellow sticky note attached to the same employees monitor reminding them to perform the same action by the mandated deadline.

Identify the Preventative Control

HIGHLY SENSITIVE, CONFIDENTIAL AND PROPRIETARY. SEE NOTICE ON LAST PAGE Page 11

Quiz

a) A bus full of nuns that testify they personally witnessed the patch control management performed on January 1, 2019, well within the mandated time periods. b) An electronic time stamped entry into the GRC tool, or another application, showing when the patch management was performed. c) A now convicted felon stating that when he was still unindicted he personally performed the patch management on the same date. d) Contemporarily made video of the employee performing the patch management on January 1, 2019.

What qualifies as evidence?

Xcel Energy Overview

July 23, 2019

Employees: 11,865 Natural gas operations

• Customers: 2.0 million
• Transmission: 2,209 miles
• Distribution: 35,112 miles

Electricity operations

• Customers: 3.6 million
• Transmission: 20,000 miles
• Distribution: 75,000 miles

Company Profile – Xcel Energy

Xcel Energy is an electric and natural gas company, with annual revenues

• f $11.4 billion. Based in Minneapolis, Minn., we have regulated
• perations in eight Midwestern and Western states, and provide a

comprehensive portfolio of energy-related products through four operating companies.

Xcel Energy

3

Northern States Power Company- Minnesota Northern States Power Company- Wisconsin Public Service Company of Colorado Southwestern Public Service

MRO:

• NSP (NSPM & NPSW)
• SPS

WECC:

• PSCO

Our Strategic Priorities

Service Revenue & customer- Focused Assets Customer Effort & Cost to Serve

4

BROADEN

Economic growth and use of clean energy

HELP

Customers be more efficient and lower energy use

IMPROVE

Grid utilization, effectiveness, and economics

EXPAND

Role and scope of propositions we

• ffer

LOWER

Total cost, effort, and time to serve customers

Lead the Clean Energy Transition Enhance the Customer Experience Keep Bills Low LEAD THE CLEAN ENERGY TRANSITION ENHANCE THE CUSTOMER EXPERIENCE KEEP BILLS LOW

Leverage competitive advantages to reduce emissions improve grid performance and provide customer value

RELI ABI LI TY | ACCOUNTABI LI TY 1