1 / 15

Brent Castagnetto Manager, Cyber Security Audits

Brent Castagnetto Manager, Cyber Security Audits. Technical Feasibility Exception (TFE) Streamlining Proposal ERO-EMG May 5, 2012 Arlington, VA . TFE Streamlining Proposal. ERO Enterprise has nearly two years’ experience “in the field”. Based on that, we know:

zariel
Download Presentation

Brent Castagnetto Manager, Cyber Security Audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brent CastagnettoManager, Cyber Security Audits Technical Feasibility Exception (TFE) Streamlining Proposal ERO-EMG May 5, 2012 Arlington, VA

  2. TFE Streamlining Proposal • ERO Enterprise has nearly two years’ experience “in the field”. Based on that, we know: • Cost-to-benefit ratio of the process is skewed • CIP-based reliability and security can be monitored and promoted with less focus on lower-value administrative tasks currently required by Appendix 4D to the Rules of Procedure

  3. TFE Streamlining Proposal TFE Streamlining Proposal: • Eliminate the existing TFE process and perform compensating and/or mitigating control reviews at the time of Audit and/or Spot Check. • Utilize existing CMEP processes

  4. TFE Streamlining Proposal We request that NERC seek FERC acceptance of this proposal • MRO, Texas RE, WECC collaboration • ECEMG endorsed April 2012, requested REMG consideration • REMG endorsed April 2012, requested ERO-EMG consideration

  5. TFE History • TFE process was to be used as part of NERC’s phased approach. • TFEs were to be an interim step to augment Version 1 of the CIP Standards. • The TFE process would allow responsible entities a mechanism for requesting and receiving an exception from strict compliance. • We are four versions into CIP Standards; why do we still have Appendix 4D?

  6. MRO TFEs MRO has spent over 5,000 hours to process TFEs Part A, B, terminate, amend, report, audit review, etc. since 2009. • The hours include CIP audit team only.  693, Legal, and Reliability Assessment not included. • MRO estimatesits registered entities have used 20,000 hours managing TFEs (industry-only time) on TFEs since 2009.

  7. Texas RE TFEs Texas RE has spent over 2,000 hours to process TFEs.  • This includes CIP, 693, Legal, and Reliability Assessment Personnel. • Texas RE management notes the issue is the continued maintenance of a process that yields little benefit to reliability or security of the BES.

  8. WECC TFEs • WECC has received over2,400 TFE requests. • In 2011 WECC reviewed 968 TFE Part A requests, and 1198 TFE Part B requests. • WECC spent over 5,000 hours reviewing in 2011. • In 2010 WECC reviewed over 1200 Part and Part B TFEs. • WECC spent over 6000 hours in 2010.

  9. Other TFE Proposals CCWG has discussed several options: • “Option 1”: Unnecessary over-processing; length of time needed to revise Appendix 4D. • Option 2 and 3: Require revisions to standards-which will inevitably take years. • Option 4 was proposed by Texas RE, MRO and WECC and is presented here as the “TFE Streamlining Proposal” • Option 4 is supported by 6 of 8 regions in CCWG.

  10. TFE Streamlining Proposal • Repeal Appendix 4D to eliminate separate TFE processes and eliminate the term “TFE”. • Utilize Self Certification, Self Reports, Self Certifications and Spot Checks to validate and track compensating and mitigating measures. • Focus more on compensating measures and/or mitigating measures.

  11. Compensating/Mitigating Measures • CIP Standards already contain compensating/mitigating measures; if entities comply with these standards, they offer same protection as TFEs were intended to offer. • Some common examples of acceptable compensating and or mitigating measures include: • Cyber Assets reside within an ESP / PSP. (CIP-005 & CIP-006) • Cyber Security Training is required for all personnel with access to Cyber Assets. (CIP-004) • Personnel Risk Assessments are performed on personnel with access to Cyber Assets. (CIP-004)

  12. TFE Process Streamlining • Self Certification becomes the main vehicle for tracking compensating and mitigating measures. • Compensating and/or mitigating measures are required, and will be evaluated at Audit or Spot Check. • Outreach will be important.

  13. Education and Outreach • Provide guidance to Entities regarding self-evaluation of strict compliance and documentation of compensating and/or mitigating measures. • Regions will use effective CIP outreach programs prior to any compliance activity (Audit, Spot Check, Self Certification etc.)

  14. Benefits of TFE Streamlining Proposal • Refocus on risk-based reliability • More CIP resources available to focus on reliability and security rather than lower-value administrative tasks • Significant cost savings for Regional Entities and Responsible Entities

  15. Brent Castagnetto Manager, Cyber Security Audits WECC bcastagnetto@wecc.biz 801.819.7627 801.597.7957 Questions?

More Related