Bryan Carr presented on additional considerations regarding CIP-002-5.1 compliance. He discussed observations from 2015 audits, including entities being hesitant to leverage NERC transition guidance and implementation delays. He then answered questions from entities regarding proper interpretation and application of CIP-002-5.1, providing clarification on topics like appropriately identifying breaker-and-a-half stations, treatment of jointly owned locations, and applicability to distribution providers.
Triage and Network monitoring services for our Telecommunications Clients. They have been modeled specifically to create for OPEX reduction and the solution is carrier grade.
Triage and Network monitoring services for our Telecommunications Clients. They have been modeled specifically to create for OPEX reduction and the solution is carrier grade.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
In October of 2016, the EPA signed the final Hazardous Waste Generator Improvements Rule to provide greater flexibility for hazardous waste generators and clarification around certain components of the hazardous generator program in an effort to improve compliance and environmental protection. The EPA has described the rule as “an overhaul of the hazardous waste generator regulatory program.” Some revisions appear to be more lenient than existing regulations, while others are more stringent, such as documenting hazardous waste determinations.
This presentation provides an overview of the major provisions proposed by the EPA in the new hazardous waste generator improvements rule. It outlines the four primary issues that exist with today's regulations and how some of the more significant proposals seeks to address those issues. Find out about the rule process and schedule and what this means for hazardous waste generators.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
In October of 2016, the EPA signed the final Hazardous Waste Generator Improvements Rule to provide greater flexibility for hazardous waste generators and clarification around certain components of the hazardous generator program in an effort to improve compliance and environmental protection. The EPA has described the rule as “an overhaul of the hazardous waste generator regulatory program.” Some revisions appear to be more lenient than existing regulations, while others are more stringent, such as documenting hazardous waste determinations.
This presentation provides an overview of the major provisions proposed by the EPA in the new hazardous waste generator improvements rule. It outlines the four primary issues that exist with today's regulations and how some of the more significant proposals seeks to address those issues. Find out about the rule process and schedule and what this means for hazardous waste generators.
Intellibind Top Ten Most Violated Standards Presentation 2011 01 27 (F)bluecedars2
This is the presentation made at the WECC CUG meeting in Feburuary 2011 and sponsored by LADWP. This presentation can also be found on the WECC website.
Common Criteria is the most used international standard for cybersecurity certification for ICT products. CC has lights and shadows and for most of the stakeholders the main drawback might be the assurance continuity process. The application of CC for re-certifications of updates or security-patched products is very slow and not adapted to the time to market of new versions of products. EUCC includes patch management as an activity that may be assessed as part of the evaluation process. ISO SC27 WG3 have been working hard in the last years to prepare the technical specification that could be used to evaluate the TOE’s patching functionality and the developer’s patch management by adding new modules that can be integrated into PPs and STs. This talk will explain the current status and news of the ISO Technical Specification, and explain how it address the patch management problem taking into account the Cyber Security Act requirements. The speakers will be Javier Tallon and Sebastian Fritsch, co-editors of the ISO/IEC TS 9565.
Importance of the NERC PRC-005 Standard - Challenges and Audit TipsCertrec
A whitepaper from Certrec presenting many of the difficulties involved with the PRC-005 standard and tips to meet those challenges.
To learn how Certrec's regulatory experts can assist you through a NERC audit, visit: https://www.certrec.com
Calgary Oil & Gas Regulatory and Standards Day January 18th 2023Nimonik
On 18th January 2023, Nimonik Inc. hosted the inaugural “Calgary Oil & Gas Regulatory and Standards Compliance Day”. During the event, we covered newly published topics, upcoming regulatory changes for the oil & gas industry, and best practices for compliance management. The event attendees also had the opportunity to connect with industry peers and share compliance challenges.
Similar to 06 CIP-002-5.1 Additional Consideration - 10 13 15 (20)
2. Speaker Intro: Bryan Carr
• Joined WECC in August 2012
• a.k.a Dr. TFE (Emeritus)
• Former CIP Program Manager
• Project manager
• 3:37 Marathoner – BQ 3:10
• Donut enthusiast
Western Electricity Coordinating Council
2
3. Agenda
• 2015 Audit Recap & Observations
• Q&A
• Distribution Providers
Western Electricity Coordinating Council
3
5. 2015 Audit Recap - Observations
• Many hesitant to leverage NERC v5 transition
guidance.
• Implementation delays due to interpretations,
waiting on Lessons Learned & FAQ.
• Entities who regularly reach out to audit team
and attend outreach were better prepared.
Western Electricity Coordinating Council
5
6. CIP-002-5.1 Entity Q&A
• Sources include email, audit, ERO-wide auditor
workshops/distribution lists, etc.
• Q&A sanitized to protect the innocent.
• All entities appearing in this presentation are
fictitious. Any resemblance to real entities, living
or dead, is purely coincidental.
Western Electricity Coordinating Council
6
7. Q1
• We plan to associate BCAs (including SPS/RAS)
with the operating voltage of the high side of the
transformer, as well as any BCA associated with
both the high and low side of the transformer
(e.g. bank differential relays). Is this a valid
approach?
Western Electricity Coordinating Council
7
8. A1
• Protect BCS associated with SPS/RAS at the
highest applicable impact rating.
• IRC 2.9 may bring in some BCS that would
normally be Low into scope as Medium BCS.
• Each SPS/RAS BCS should be evaluated
independently as you apply the IRC.
Western Electricity Coordinating Council
8
9. Q2
• In counting the number of lines coming into a
substation, should a bus bar with a tie-circuit
breaker be considered a line?
Western Electricity Coordinating Council
9
10. A2
• Normally a tie bus would not be considered a
transmission "line" as it does not typically
cross substation boundaries.
• If, however, the tie bus in question crosses
substation boundaries, a strict interpretation
of IRC2.5 would indicate that would qualify as
a "line" coming in and/or out of the
substation.
Western Electricity Coordinating Council
10
11. Q3
• For jointly owned locations – is
documentation required for who is
performing the compliance
obligations?
Slide 11
Western Electricity Coordinating Council
12. A3
• Yes, if a single entity is responsible for performing the
compliance obligations at a jointly owned Facility,
that should be clarified in the operating agreement,
through a memorandum, or other binding document
in which these obligations are clearly defined and
assigned to a single party.
• Without a binding document defining compliance
responsibility, WECC will look to the owner of each
applicable BCS to fulfill the compliance obligations.
Slide 12
Western Electricity Coordinating Council
13. Q4
Western Electricity Coordinating Council
13
• We will have only Low Impact BCS under CIP
v5, therefore we have nothing to do (no
compliance obligations) until April 1, 2017. Is
this correct?
14. A4
• Not quite. CIP-002-5.1 R1 & R2 and CIP-003-6 R3
& R4 must be complete (documented and
approved) by April 1, 2016 for ALL applicable
entities, including those with only Low Impact
BCS.
• Low Impact requirements in CIP-003-6 R1.2, R2,
Attachment 1 – Sections 1 & 4 must be complete
by April 1, 2017.
• Low Impact requirements in CIP-003-6 R2
Attachment 3 & 4 must be complete by
September 1, 2018.
Slide 14
Western Electricity Coordinating Council
15. Q5
• Should meters be considered BCA?
15
Western Electricity Coordinating Council
16. A5
• Certain meters may be considered BCA. For
example, tie-line (aka interchange) meters
providing data for ACE calculations are required
to have an update interval of no greater than 6
seconds (BAL-005-0.2b R8), those Cyber Assets
come into scope as real-time Cyber Assets that
support one or more BROS and should be
identified as BCA, grouped into one or more
appropriate BCS, and afforded the full protections
of the CIPv5 Standards, as applicable, based on
the impact rating of their host Facilities.
Slide 16
Western Electricity Coordinating Council
17. Q6
• We were just notified by PEAK that we’re now
part of an IROL, which will raise the the
impact rating of a couple of our facilities from
Low to Medium. The implementation plan
allows for 12-24 months, but when does that
clock start ticking?
Slide 17
Western Electricity Coordinating Council
18. A6
• The IRC 2.3 and 2.6 Lesson Learned document recently
posted on NERC’s website adds an implementation
period for Medium BCS identified prior to April 1,
2016, and extends CIP compliance for newly identified
BCS under these two IRC by 12-24 months.
• The clock starts ticking upon completion of the R1
Assessment following an IRC 2.3 or 2.6 notification, not
the date of notification itself. Should such notification
occur between now and April 1, 2016, WECC expects
re-evaluation of R1 be completed on or before April 1,
2016, at which point the implementation period would
begin.
Slide 18
Western Electricity Coordinating Council
19. Q7
• Our low impact substation has a backup EMS
server which is part of our High Impact
Control Center. The EMS server and Low BCS
(protection equipment) are physically located
in the same building, but are logically
separate. Does this mean the entire facility
must be treated as High Impact, or can we
separate the two somehow?
Slide 19
Western Electricity Coordinating Council
20. A7
• The impact rating of the facility could remain
Low under certain conditions, however the
High Impact BCS would need to be afforded all
the physical and logical protections specified
in the CIP Standards.
• Options to consider:
1. Create a separate PSP around just the High
Impact BCS.
2. Treat the entire building as a High PSP.
Slide 20
Western Electricity Coordinating Council
21. I’m a DP, is CIP v5 Applicable to Me?
• All DPs should implement a CIP-002-5.1 process to
evaluate their system to rule out anything that might
be applicable under the Impact Rating Criteria [IRC]
and Section 4.2.1.
• If the DP can demonstrate that NONE of its system are
applicable under this section, then they should
document the evaluation and its results.
• Under an abundance of caution, a best practice would
be to document a null list for R1.1, R1.2, and R1.3, then
apply its process at least every 15 calendar months to
ensure that no systems changed to the extent that they
came into scope under Section 4.2.1.
Slide 21
Western Electricity Coordinating Council
22. What if I have a UFLS/UVLS?
• If you have an applicable UFLS/UVLS under
section 4.2.1 (NERC, 2012 Nov 22, CIP-002-
5.1, p. 1), these BCS should be evaluated as
Low-impact under IRC 3.6 and, therefore, the
Facilities containing them should be listed as
Low-impact BES [R1.3].
• Any specific DP UFLS/UVLS has to meet both
conditions of Section 4.2.1.1 to come into
scope as Low-impact.
Slide 22
Western Electricity Coordinating Council
23. What About Blackstart Units?
• Black-start resources and their associated cranking paths
can come into scope under CIPv5 as Low-impact BES Assets
under two conditions:
– IRC 3.4: Systems and facilities critical to system restoration,
including Blackstart Resources and Cranking Paths and initial
switching requirements (CIP-002-5.1, p. 16), or
– Section 4.1.2.4: Each Cranking Path and group of Elements
meeting the initial switching requirements from a Blackstart
Resource up to and including the first interconnection point of
the starting station service of the next generation unit(s) to be
started (CIP-002-5.1, p. 1).
• You may have a small non-BES Generation unit and/or
cranking path facility that are included in a Restoration
plan. Talk to your RC and TOP to make sure that you do not.
Slide 23
Western Electricity Coordinating Council
24. Evaluation Results
• A prudent DP will evaluate its systems, at a
minimum, against IRC 3.4, 3.6, and Section 4.2.1
and document that it either has no applicable
systems or it has provided the appropriate
protections to its applicable systems.
• A DP with applicable systems that come into
scope under CIPv5 will generally have approved
null R1.1 and R1.2 lists, and a relatively short R1.3
list.
• A DP that does not have applicable systems
should have null lists for all three categories.
Slide 24
Western Electricity Coordinating Council
25. Summary
• A DP should not just assume it has no applicable
systems, implement the R1 process anyway.
• This approach is effectively no different from the LSE or
other Registered Entity that applied its RBAM every
year under CIPv3 to ensure its null lists of CAs and CCAs
were still valid.
• WECC’s compliance monitoring approach for DPs will
seek evidence that the DP implemented the process
required by CIP-002-5.1 and documented the results of
the evaluation of its systems to demonstrate
compliance with the CIPv5 Standards.
Slide 25
Western Electricity Coordinating Council