SlideShare a Scribd company logo

Technologies for Security and Compliance by Ken McIntyre, Ercot

Download as PPTX, PDF
T
TheAnfieldGroup

This document summarizes a presentation given by Ken McIntyre, the Director of Standards and Protocol Compliance at the Electric Reliability Council of Texas (ERCOT). The presentation discusses ERCOT's regulatory challenges in ensuring reliability and compliance with various standards. It also outlines ERCOT's compliance initiatives, including consolidating compliance data, implementing a governance, risk, and compliance software system to automate activities, and developing a "risk engine" to assess risk and prioritize compliance efforts.

Related slideshows

Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
 
Zones IoT Substation Protection and Security Solution NERC CIPv5-014 Overview...
Zones IoT Substation Protection and Security Solution NERC CIPv5-014 Overview...Zones IoT Substation Protection and Security Solution NERC CIPv5-014 Overview...
Zones IoT Substation Protection and Security Solution NERC CIPv5-014 Overview...
 
1 of 19
Page 1 Company Logo 2012 Technologies for Security and Compliance Summit August 2012 Austin, Texas Ken McIntyre Director Standards and Protocol Compliance Electric Reliability Council Of Texas
Page 2 Company Logo 2012 Technologies for Security and Compliance Summit Presentation: • Electric Reliability Council of Texas • The Regulatory Challenge • ERCOT Compliance Initiatives
Page 3 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Responsibilities • System Reliability • Open and Competitive Markets • Congestion Management • Network Modeling
Page 4 Company Logo Electric Reliability Council Of Texas (ERCOT) Key Features of the ERCOT Grid • Represents 85% of Texas Load • 74,000 MW of generation capacity • 40,530 miles of transmission lines • Electrical island with several DC Ties • RC, BA, TOP (CFR), PC, IC, RP, TSP ERCOT facilitates competitive markets to help achieve reliability.
Page 5 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Compliance Department • Centralized Compliance Program • Increased from two to thirteen employees • 693, CIP and all ERCOT Protocols • Standards Development (ballots etc.) • All things NERC e.g. CANs, TFEs, EA ERCOT Compliance Mission Statement: Promote ERCOT Reliability, Security and Compliance, through Collaboration, Leadership and Expertise.
Page 6 Company Logo The Regulatory Challenge ERCOT Public Utility Commission of Texas PUCT FERC / NERC SSAE16 / SOX ERCOT Board F&A (Internal Audits) Texas Reliability Entity (Regional Entity) DOE, DHS, EPA, NAESB
Page 7 Company Logo
Page 8 Company Logo
Page 9 Company Logo
Page 10 Company Logo The Regulatory Challenge cont. • Audits and Investigation Preparation • Compliance burden on organization • Standards Development • Compliance with new standards and versions • Internal Compliance and Monitoring Program • Event Analysis Reporting and Lessons Learned • Institutionalize recommendations • Critical Infrastructure Protection • Maintaining best practice / Defense in Depth • SCADA System integrity / Smart Grid information / Mobile Devices • CIP Standards and new versions
Page 11 Company Logo ERCOT Compliance Initiatives What should the Compliance Department do? • Compliance ‘promotes’ Reliability and Security • Allow Subject Matter Experts to focus on improving industry, while still meeting compliance obligations (daily activities) • Reduce duplication of regulatory efforts across the organization (one activity meets multiple regulatory requirements) • Active Policy Monitoring and Enforcement to allow early detection and mitigation of issues, and avoid unnecessary compliance burden • Minimize ‘Drift’ from stated expectations • Institutionalize Recommendations, ‘Normal Practice’
Page 12 Company Logo ERCOT Compliance Initiatives cont. What is the Compliance Department going to do? • Consolidate PUCT/FERC/NERC Compliance Data Repositories • Common regulatory evidence, sampling, reporting, event analysis, mitigation • Implement AlertEnterprise ‘GRC’ Solution for Compliance • NERC Reliability Standards, ERCOT Protocols, Corporate Policies, SSAE16 • Automate RSAW development, and other compliance activities • Active Policy Monitoring and Enforcement (2013) • Map requirements between multiple regulatory environments • Provide Compliance Transparency • AlertEnterprise Dashboards for Executives and Managers • Risk/Gap/Impact analysis (AlertEnterprise ‘Risk Engine’ concept)
Page 13 Company Logo ERCOT Compliance Initiatives cont. Additional detail on some initiatives....
Page 14 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT mapping requirements between multiple regulatory environments: - Map requirements between NERC – Protocols – Guides – Policy - Interactive display of Requirement and document associations with master & transaction data, - Displays Requirement association with transaction data (Assessments, Investigation, Mitigation, Self Report, Action Items, RSAW, Event Tracker) within a date range
Page 15 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT NERC RSAW functionality: - Developed for NERC RSAW creation, - Can be applied/formatted for other regulatory requirements - Templates with requirements and placeholders for compliance actions, SME and evidence tables NERC
Page 16 Company Logo ERCOT Compliance Initiatives cont.
Page 17 Company Logo ERCOT Compliance Initiatives cont.
Page 18 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT ‘Risk Engine’ concept : - Essentially a means to provide the association of a NERC ‘risk score’ or ‘risk categorization’ to framework items and controls - Based on VRF, compliance history, enforcement history, NERC ranking (Top 20), self reports, mitigation plans etc. - Benefits of assigning a ‘risk score’ to a standard and requirement will be the development of appropriate monitoring, reporting, dash-boarding, frequency of assessments, focused training, resource allocation etc. - ERCOT vision is one of a ‘real-time’ compliance monitoring tool. Are we compliant today and what is the confidence that our controls in place are adequate, how well are we prepared to demonstrate compliance?
Page 19 Company Logo Thank you - Questions?

More Related Content

Technologies for Security and Compliance by Ken McIntyre, Ercot

  • 1. Page 1 Company Logo 2012 Technologies for Security and Compliance Summit August 2012 Austin, Texas Ken McIntyre Director Standards and Protocol Compliance Electric Reliability Council Of Texas
  • 2. Page 2 Company Logo 2012 Technologies for Security and Compliance Summit Presentation: • Electric Reliability Council of Texas • The Regulatory Challenge • ERCOT Compliance Initiatives
  • 3. Page 3 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Responsibilities • System Reliability • Open and Competitive Markets • Congestion Management • Network Modeling
  • 4. Page 4 Company Logo Electric Reliability Council Of Texas (ERCOT) Key Features of the ERCOT Grid • Represents 85% of Texas Load • 74,000 MW of generation capacity • 40,530 miles of transmission lines • Electrical island with several DC Ties • RC, BA, TOP (CFR), PC, IC, RP, TSP ERCOT facilitates competitive markets to help achieve reliability.
  • 5. Page 5 Company Logo Electric Reliability Council Of Texas (ERCOT) ERCOT Compliance Department • Centralized Compliance Program • Increased from two to thirteen employees • 693, CIP and all ERCOT Protocols • Standards Development (ballots etc.) • All things NERC e.g. CANs, TFEs, EA ERCOT Compliance Mission Statement: Promote ERCOT Reliability, Security and Compliance, through Collaboration, Leadership and Expertise.
  • 6. Page 6 Company Logo The Regulatory Challenge ERCOT Public Utility Commission of Texas PUCT FERC / NERC SSAE16 / SOX ERCOT Board F&A (Internal Audits) Texas Reliability Entity (Regional Entity) DOE, DHS, EPA, NAESB
  • 10. Page 10 Company Logo The Regulatory Challenge cont. • Audits and Investigation Preparation • Compliance burden on organization • Standards Development • Compliance with new standards and versions • Internal Compliance and Monitoring Program • Event Analysis Reporting and Lessons Learned • Institutionalize recommendations • Critical Infrastructure Protection • Maintaining best practice / Defense in Depth • SCADA System integrity / Smart Grid information / Mobile Devices • CIP Standards and new versions
  • 11. Page 11 Company Logo ERCOT Compliance Initiatives What should the Compliance Department do? • Compliance ‘promotes’ Reliability and Security • Allow Subject Matter Experts to focus on improving industry, while still meeting compliance obligations (daily activities) • Reduce duplication of regulatory efforts across the organization (one activity meets multiple regulatory requirements) • Active Policy Monitoring and Enforcement to allow early detection and mitigation of issues, and avoid unnecessary compliance burden • Minimize ‘Drift’ from stated expectations • Institutionalize Recommendations, ‘Normal Practice’
  • 12. Page 12 Company Logo ERCOT Compliance Initiatives cont. What is the Compliance Department going to do? • Consolidate PUCT/FERC/NERC Compliance Data Repositories • Common regulatory evidence, sampling, reporting, event analysis, mitigation • Implement AlertEnterprise ‘GRC’ Solution for Compliance • NERC Reliability Standards, ERCOT Protocols, Corporate Policies, SSAE16 • Automate RSAW development, and other compliance activities • Active Policy Monitoring and Enforcement (2013) • Map requirements between multiple regulatory environments • Provide Compliance Transparency • AlertEnterprise Dashboards for Executives and Managers • Risk/Gap/Impact analysis (AlertEnterprise ‘Risk Engine’ concept)
  • 13. Page 13 Company Logo ERCOT Compliance Initiatives cont. Additional detail on some initiatives....
  • 14. Page 14 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT mapping requirements between multiple regulatory environments: - Map requirements between NERC – Protocols – Guides – Policy - Interactive display of Requirement and document associations with master & transaction data, - Displays Requirement association with transaction data (Assessments, Investigation, Mitigation, Self Report, Action Items, RSAW, Event Tracker) within a date range
  • 15. Page 15 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT NERC RSAW functionality: - Developed for NERC RSAW creation, - Can be applied/formatted for other regulatory requirements - Templates with requirements and placeholders for compliance actions, SME and evidence tables NERC
  • 16. Page 16 Company Logo ERCOT Compliance Initiatives cont.
  • 17. Page 17 Company Logo ERCOT Compliance Initiatives cont.
  • 18. Page 18 Company Logo ERCOT Compliance Initiatives cont. AlertEnterprise/ERCOT ‘Risk Engine’ concept : - Essentially a means to provide the association of a NERC ‘risk score’ or ‘risk categorization’ to framework items and controls - Based on VRF, compliance history, enforcement history, NERC ranking (Top 20), self reports, mitigation plans etc. - Benefits of assigning a ‘risk score’ to a standard and requirement will be the development of appropriate monitoring, reporting, dash-boarding, frequency of assessments, focused training, resource allocation etc. - ERCOT vision is one of a ‘real-time’ compliance monitoring tool. Are we compliant today and what is the confidence that our controls in place are adequate, how well are we prepared to demonstrate compliance?
  • 19. Page 19 Company Logo Thank you - Questions?