620 likes | 967 Views
Technical Feasibility Exceptions. Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009. Outline. Background Overview – Initial TFE Program Proposal (dated March 16, 2009)
E N D
Technical Feasibility Exceptions Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009
Outline • Background • Overview – Initial TFE Program Proposal (dated March 16, 2009) • Overview - “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions” (dated July 1, 2009) • Where Are We Today? • “Joint NERC and RE Proposal to Implement TFE Evaluations” • Next Steps
Background • January 18, 2008: FERC issued Order No. 706 approving mandatory Reliability Standards for CIP and directed NERC to establish a procedure for the submission, review, audit and approval of Technical Feasibility Exceptions (TFEs) • Specifically, NERC as the ERO was directed “to develop a set of conditions or criteria that a responsible entity must follow when relying on the technical feasibility exception contained in specific requirements of the CIP Reliability Standards.” • Also, “technical feasibility exceptions should be reported, justified and subject to approval by the ERO or relevant Regional Entity.”
Background • March 16, 2009: NERC posted a “Request for Comments on Proposed Procedure for Requesting and Receiving Technical Feasibility Exceptions to NERC CIP Standards and Related Amendments to NERC Rules of Procedure” - Initial TFE Program Proposal • April 30, 2009: Comments due • April-May, 2009: Over 50 different sets of comments were received • Review of comments and evaluation of additional approaches is ongoing
Background • May 16, 2009: Order No. 706-A issued • FERC “expects Regional Entities to process and evaluate requests for technical feasibility on a fair and consistent basis.” • NERC would have discretion to develop uniform procedure (i.e. revision to NERC RoP) to establish level of consistency in processing TFEs
Background • July 1, 2009: NERC released “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions” • Provides guidance to REs and affected Registered Entities concerning applicability & implementation of NERC CIP Standards that refer to “technical feasibility” and/or “technical limitation” pending the adoption of permanent programto address TFEs.
Overview - Initial TFE Program Proposal • Applicable only to specific requirements in CIP-002 through CIP-009 • Proposed process was a modification to the NERC Rules of Procedure • Modeled after the Self Report of Non-Compliance with Mitigation Plan • An “Exception” not an “Exemption” from Compliance
Definitions • Applicable Requirement: A Requirement of a CIP standard that expressly provides either • (i) that compliance with the terms of the Requirement is required where or as technically feasible, or • (ii) that technical limitations may preclude compliance with the terms of the Requirement • Covered Asset: A Cyber Asset or Critical Cyber Asset that is subject to an Applicable Requirement
Definitions • Eligible Reviewer: A person who has the required security clearances or other qualifications, or who otherwise meets the applicable criteria, to have access to classified National Security Information, NRC Safeguards Information, or Protected FOIA Information, as applicable to the particular information to be reviewed. • Expiration Date: The date on which a TFE expires, as specified in the approved TFE Request or in a Notice of Revocation.
Definitions • National Security Information (NSI): Information classified by an Executive Order, whose compromise would cause some degree of damage to the national security. • Protected FOIA Information: Required Information, held by a governmental entity, that is subject to an exemption from disclosure under FOIA (5 U.S.C. §552(e)) or any similar state or local statutory provision which would be lost were the Required Information to be placed into the public domain. • [NOTE: This definition should be interpreted to include any Canadian or provincial provisions similar to FOIA.]
Definitions • Region: The geographic boundaries of a Regional Entity. • Regional Entity: The organization that has compliance enforcement authority for the Critical Asset supported by the Covered Asset that is the subject of the TFE request. • Responsible Entity: A user, owner or operator of the Bulk Electric System that is registered in the Compliance Registry and is responsible for complying with an Applicable Requirement, as specified in the Applicability section of the CIP Standard.
Definitions • Safeguards Information (SGI): Safeguards information is a special category of sensitive unclassified information authorized by Section 147 of the Atomic Energy Act to be protected. • Safeguards information concerns the physical protection of operating power reactors, spent fuel shipments, strategic special nuclear material, or other radioactive material. • Senior Manager: The person assigned by the Responsible Entity, in accordance with CIP Standard CIP-003-1 Requirement R2 (or subsequent versions), to have overall responsibility for leading and managing the Responsible Entity’s implementation of, and adherence to, the CIP Standards.
Definitions • Strict Compliance: Compliance with the terms of an Applicable Requirement without reliance on a Technical Feasibility Exception • Technical Feasibility Exception or TFE: An exception from compliance with the terms of an Applicable Requirement on grounds of technical feasibility or technical limitations in accordance with one or more of the criteria defined within the TFE Basis for Approval • TFE Request: A request submitted by a Responsible Entity in accordance with the published Interim TFE process for an exception from Compliance with an Applicable Requirement
TFE Basis for Approval When Strict Compliance with an Applicable Requirement: • Is not technically feasible • Is not operationally feasible • Is precluded by technical limitations • Could adversely affect the reliability of the Bulk Electric System to an extent that outweighs the reliability benefits of Compliance with the Applicable Requirement
TFE Basis for Approval • While technically and operationally feasible, cannot be achieved by the Compliance Date due to such factors as: • Scarce technical resources • Limited availability of required equipment or components • Need to construct, install, or modify equipment during planned outages
TFE Basis for Approval • Would pose safety risks or issues that outweigh the reliability benefits of Strict Compliance • Would conflict with, or cause the Responsible Entity to be non-compliant with a separate statutory or regulatory requirement that cannot be waived • Would incur costs that exceed the benefits of Compliance
Additional Conditions • Responsible Entity is required to implement and maintain an alternate approach to achieving compliance through the use of compensating and/or mitigating measures • TFE will typically be approved for a limited duration • Normally requires expiration date • Compliance with applicable requirement is expected • Open-ended TFE allowed under limited conditions if justified, with periodic review to perpetuate TFE
TFE Submission • Separate submission for each TFE request • For each Applicable Requirement pertaining to each Covered Asset. • Can group multiple, similar Covered Assets into one submission • Same or multiple locations • Same basis for TFE • Same compensating and mitigating measures • Similar proposed Expiration Dates
TFE Request – Required Information • Responsible Entity name • Contact information, including how NERC may arrange to view confidential information • Location of Covered Asset • Applicable Requirement • Narrative discussion and analysis of the basis for approval • Narrative discussion and analysis of compensating and mitigating measures, including how and to what extent the measures will reduce risk
TFE Request – Required Information • List of confidential information to be reviewed onsite along with criteria to be an Eligible Reviewer • Proposed implementation and reporting schedule • Proposed plan and time schedule for terminating TFE and achieving Strict Compliance • Detailed steps and milestone schedule for achieving Strict Compliance, or • Specific research, design, analytical, testing, or other activities, with schedule, to determine a means to achieve Strict Compliance
TFE Request – Required Information • Justification for requesting TFE with no expiration date • If Expiration Date is longer than one year, a proposed schedule for submitting reports to NERC on continuing need and justification for TFE • Reports must be submitted at least annually • Statement, signed by the Sr. Manager, acknowledging that the Sr. Manager has read and understands the TFE request and recommends approval
TFE Review for Approval or Disapproval • Preliminary Review to confirm all requirements of submission are satisfied • Unique identifier assigned • If Submission is complete, NERC sends notice accepting TFE as complete • If Submission is incomplete, NERC sends notice rejecting the TFE • NERC shall indentify missing content. • Responsible Entity may resubmit
TFE Review for Approval or Disapproval • Substantive Review for Approval/Disapproval • 60-day review period, can be extended • If not approved, disapproved, or extended within review period, TFE automatically disapproved • Notice of Approval or Disapproval (with option to appeal) • NERC shall perform wide-area analysis collaborating with other Regional Entities and Responsible Entities
TFE Review for Approval or Disapproval • Reason for Disapproval stated in notice • NERC may state revisions to TFE that would result in approval of TFE Request if resubmitted • NERC not required to identify revisions • Requester has 30 days from time of notice to • Resubmit TFE with NERC identified revisions, or • Submit a mitigation plan to achieve Strict Compliance • Mitigation Plan processing shall follow CMEP
Deferred Violations/Penalties • Findings of Violations and Imposition of Penalties will be deferred during TFE Review • Deferment starts with acceptance as complete • Deferment ends with notice of approval or effective date of disapproval • Once TFE is approved, deferment continues as long as the TFE remains in effect and/or progress to Strict Compliance remains on schedule
TFE Reporting • Responsible Entity to submit timely periodic and other reports as specified in approved TFE request • Covers progress implementing • Compensating and/or mitigating measures • Steps, research, analysis to achieve strict compliance
TFE Revocation • TFE can be revoked if progress milestones not met, mitigation not maintained, or reports not submitted • TFE amendment can be requested, if needed • No guarantee amendment will be accepted • NERC may initiate Revocation Investigation • Can revoke TFE prior to Expiration Date - may become Alleged Violation • Can advance Expiration Date • Can impose additional requirements
Pending TFE Amendment • Responsible Entity can amend a pending TFE Request at any time the TFE is under review by NERC • Provide additional information • Revise required information • Can resubmit the entire TFE as amended or only the portion being amended if easily separable • May result in extension of review period
Approved TFE Amendment • Responsible Entity may submit amendment to approved TFE requesting revision to any TFE requirement. • For example: • Revised compensating/mitigating measures • Extension to implementation schedule • Extension of Expiration Date • May submit entire TFE or only amended portions
Approved TFE Amendment • Responsible Entity must include: • Narrative explanation of the amendment • Reason and purpose of the amendment • Reasons approved TFE requirements cannot be met • NERC will review for completeness and accept or reject the submission • If complete, NERC will perform substantive review to approve or disapprove • Approved TFE replaces previous TFE
TFE Completion • Notice Required to NERC • At least 30 days prior to Expiration Date • Signed and dated by Sr. Manager • Asserts Responsible Entity has or will be able to achieve Strict Compliance by Expiration Date • Audit of Strict Compliance included in next Compliance Audit, even if not originally planned in the audit program
Hearings and Appeals • Hearing can be requested before the Compliance and Certification Committee (CCC) • Dispute rejection or disapproval of TFE request • Dispute rejection or disapproval of proposed amendment • Dispute Revocation Notice • Adverse final order of the CCC can be appealed to the Board of Trustees Compliance Committee (BOTCC)
Overview - “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions” • “Interim Guidance” document • Background • Approach • Submittal Requirements • Regional Activities • TFE Disapproval • TFE Compliance
Background • Posted July 1, 2009 as guidance to REs and affected Responsible Entities for addressing TFEs pending the adoption of permanent program. • Interim process is required to address TFEs for requirements for which certain Responsible Entities reached the “C-Compliant” stage on July 1, 2009 per the CIP Implementation Plan.
Approach • Without formal TFE process, REs will need to address TFEs in context of CIP Audits, Investigations and Spot-Checks • Responsible Entities asserting TFE must provide documentary support for the assertion of the TFE. • Basic information and particulars of TFE • Information justifying appropriateness of TFE • Information concerning mitigating and compensating measures to be implemented with TFE to reduce risk to reliability of BES.
Approach • Responsible Entities should submit TFE through an appropriately secure means acceptable to RE • Secure Portal • Encrypted e-mail • Should be submitted prior to time the Responsible Entity receives notice of a CIP audit or spot-check, ideally at time Responsible Entity is in “C-Compliant” stage of implementation
Approach • REs to provide time for TFE submission to Responsible Entities that will reach “C-Compliant” stage for specific requirementsORthat received CIP audit / spot-check notices prior to July 1, 2009 • REs should receive TFE request at least 30 days prior to site visit of any audit or spot-check
Submittal Requirements • Identification of Standard & Requirements for which the TFE is being asserted • Description of assets, critical assets, and critical cyber assets affected by TFE, including vendor documentation detailing specific limitation of relevant equipment
Submittal Requirements • Explanation of why TFE is necessary • Documentation of date TFE was approved by Senior Manager or delegate(s) • Description of mitigating and compensating measures taken by Responsible Entity to address all risks to reliability of BES
Submittal Requirements • If applicable, list of which other Regions the Responsible Entity is seeking TFE request • Time period for which TFE is to remain in place • Specify Effective date and Actual or Expected End date • Evidence that the TFE assertion is in fact required based on factors outlined in the proposed Appendix 4D to the RoP, in TFE Program Proposal • Refer to “TFE Basis for Approval” section of this presentation
Submittal Requirements • Documentation and evidence of implementation plan that achieves a comparable level of security to the requirement for which TFE is being claimed • Remediation plan and timeline for eliminating use of TFE or evidence that remediation by certain date is not feasible due to technical limitations or other just cause.
Regional Activities • Auditors will consider the “Basis for Approval” factors and any evidence to determine whether compliance could be found based on TFE assertion • Mitigating and Compensating measures will be evaluated
Regional Activities • Auditors required to document Audit or Spot Check Reports that include (when applicable): • Whether Registered Entity asserted a TFE request • Basis for accepting TFE as part of findings of compliance • Basis for rejecting TFE as part of findings of possible violations • “Contrary to current practice, any spot-check report documenting one or more TFEs MUST be submitted to NERC”
TFE Disapproval • If TFE rejected, Auditors to send notice of disapproval and reasons for disapproval • May suggest revisions that, if made, would lead to approval • Shall specify effective date
TFE Disapproval • Revised TFE may be submitted during period from notice date to effective date • If re-submitted as specified, Auditors issue notice of approval and consider TFE in findings • If not re-submitted, case enters Enforcement space as possible violation
TFE Compliance • If Responsible Entity is found in Compliance based on TFE, finding will remain in effect until earlier of: • Responsible Entity’s next audit; • Subsequent compliance action identifies a failure to comply with mitigation, compensating or remediation plans submitted with TFE request; • Effective date of formal program adopted to review and approve TFEs, at which time the Responsible Entity would be expected to formally submit TFE request through formal program
Where are we today? • NERC and REs are closely collaborating to develop an efficient, secure and manageable permanent TFE program • “TFE Program Proposal” and “Interim Guidance” documents provide the framework for a permanent TFE program • “Interim Guidance” is official pending updates or the adoption of a permanent TFE Program • Latest Submission = Joint NERC and RE Proposal to Implement TFEs
Joint NERC and RE Proposal to Implement TFE Evaluations • Background • Applicability • TFE Requests and Responsibilities of Registered Entities • Procedures for Evaluation of a TFE Request (Regional Entities and NERC) • Regional Entities’ Roles and Responsibilities • NERC’s Roles and Responsibilities
Joint Proposal - Highlights • Per Orders 706 & 706-A, NERC/REs defined these characteristics for the proposed TFE program: • Produce the information needed to review and approve TFE Requests; • Be straightforward and not unduly burdensome to NERC, REs and Responsible Entities; • Maintain security of sensitive information per §1500 of NERC RoP; • Leverage existing resources at NERC & REs; • Minimize processing burden due to large volumes of TFEs • Clearly define roles/responsibilities of NERC, REs and Responsible Entities
Joint Proposal - Highlights • NERC will be responsible for oversight, implementation and consistency of TFE Program implementation, including oversight at the Regional Entity • NERC and REs shall: • Establish uniform processes & tools to receive, catalogue and approve TFE requests • Using existing NERC and Regional Entity Systems • Ensuring CEII and other confidential information is secure at all times per §1500 of NERC RoP • Approve common templates and electronic forms • Maintain list of requirements eligible for TFE Requests • Including evaluation and proposal of class-type TFEs applicable to broad classes of devices & equipment