Technologies for Security and Compliance by Ken McIntyre, Ercot

525 views
344 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
525
On SlideShare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Technologies for Security and Compliance by Ken McIntyre, Ercot

  1. 1. Page 1 Company Logo 2012 Technologies for Security and Compliance Summit August 2012 Austin, Texas Ken McIntyre Director Standards and Protocol Compliance Electric Reliability Council Of Texas
  2. 2. Page 2 Company Logo 2012 Technologies for Security and Compliance Summit Presentation: • Electric Reliability Council of Texas • The Regulatory Challenge • ERCOT Compliance Initiatives
  3. 3. Page 3 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Responsibilities • System Reliability • Open and Competitive Markets • Congestion Management • Network Modeling
  4. 4. Page 4 Company Logo Electric Reliability Council Of Texas (ERCOT) Key Features of the ERCOT Grid • Represents 85% of Texas Load • 74,000 MW of generation capacity • 40,530 miles of transmission lines • Electrical island with several DC Ties • RC, BA, TOP (CFR), PC, IC, RP, TSP ERCOT facilitates competitive markets to help achieve reliability.
  5. 5. Page 5 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Compliance Department • Centralized Compliance Program • Increased from two to thirteen employees • 693, CIP and all ERCOT Protocols • Standards Development (ballots etc.) • All things NERC e.g. CANs, TFEs, EA ERCOT Compliance Mission Statement: Promote ERCOT Reliability, Security and Compliance, through Collaboration, Leadership and Expertise.
  6. 6. Page 6 Company Logo The Regulatory Challenge ERCOT Public Utility Commission of Texas PUCT FERC / NERC SSAE16 / SOX ERCOT Board F&A (Internal Audits) Texas Reliability Entity (Regional Entity) DOE, DHS, EPA, NAESB
  7. 7. Page 7 Company Logo
  8. 8. Page 8 Company Logo
  9. 9. Page 9 Company Logo
  10. 10. Page 10 Company Logo The Regulatory Challenge cont. • Audits and Investigation Preparation • Compliance burden on organization • Standards Development • Compliance with new standards and versions • Internal Compliance and Monitoring Program • Event Analysis Reporting and Lessons Learned • Institutionalize recommendations • Critical Infrastructure Protection • Maintaining best practice / Defense in Depth • SCADA System integrity / Smart Grid information / Mobile Devices • CIP Standards and new versions
  11. 11. Page 11 Company Logo ERCOT Compliance Initiatives What should the Compliance Department do? • Compliance ‘promotes’ Reliability and Security • Allow Subject Matter Experts to focus on improving industry, while still meeting compliance obligations (daily activities) • Reduce duplication of regulatory efforts across the organization (one activity meets multiple regulatory requirements) • Active Policy Monitoring and Enforcement to allow early detection and mitigation of issues, and avoid unnecessary compliance burden • Minimize ‘Drift’ from stated expectations • Institutionalize Recommendations, ‘Normal Practice’
  12. 12. Page 12 Company Logo ERCOT Compliance Initiatives cont. What is the Compliance Department going to do? • Consolidate PUCT/FERC/NERC Compliance Data Repositories • Common regulatory evidence, sampling, reporting, event analysis, mitigation • Implement AlertEnterprise ‘GRC’ Solution for Compliance • NERC Reliability Standards, ERCOT Protocols, Corporate Policies, SSAE16 • Automate RSAW development, and other compliance activities • Active Policy Monitoring and Enforcement (2013) • Map requirements between multiple regulatory environments • Provide Compliance Transparency • AlertEnterprise Dashboards for Executives and Managers • Risk/Gap/Impact analysis (AlertEnterprise ‘Risk Engine’ concept)
  13. 13. Page 13 Company Logo ERCOT Compliance Initiatives cont. Additional detail on some initiatives....
  14. 14. Page 14 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT mapping requirements between multiple regulatory environments: - Map requirements between NERC – Protocols – Guides – Policy - Interactive display of Requirement and document associations with master & transaction data, - Displays Requirement association with transaction data (Assessments, Investigation, Mitigation, Self Report, Action Items, RSAW, Event Tracker) within a date range
  15. 15. Page 15 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT NERC RSAW functionality: - Developed for NERC RSAW creation, - Can be applied/formatted for other regulatory requirements - Templates with requirements and placeholders for compliance actions, SME and evidence tables NERC
  16. 16. Page 16 Company Logo ERCOT Compliance Initiatives cont.
  17. 17. Page 17 Company Logo ERCOT Compliance Initiatives cont.
  18. 18. Page 18 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT ‘Risk Engine’ concept : - Essentially a means to provide the association of a NERC ‘risk score’ or ‘risk categorization’ to framework items and controls - Based on VRF, compliance history, enforcement history, NERC ranking (Top 20), self reports, mitigation plans etc. - Benefits of assigning a ‘risk score’ to a standard and requirement will be the development of appropriate monitoring, reporting, dash-boarding, frequency of assessments, focused training, resource allocation etc. - ERCOT vision is one of a ‘real-time’ compliance monitoring tool. Are we compliant today and what is the confidence that our controls in place are adequate, how well are we prepared to demonstrate compliance?
  19. 19. Page 19 Company Logo Thank you - Questions?

×