Technologies for Security and Compliance by Ken McIntyre, Ercot

Page 1 Company Logo

2012 Technologies for Security and Compliance Summit

August 2012Austin, Texas

Ken McIntyre

Director Standards and Protocol Compliance

Electric Reliability Council Of Texas

Page 2 Company Logo

2012 Technologies for Security and Compliance Summit

Presentation:

• Electric Reliability Council of Texas

• The Regulatory Challenge

• ERCOT Compliance Initiatives

Page 3 Company Logo

Electric Reliability Council Of Texas (ERCOT)

ERCOT Responsibilities

• System Reliability

• Open and Competitive Markets

• Congestion Management

• Network Modeling

Page 4 Company Logo


Key Features of the ERCOT Grid

• Represents 85% of Texas Load

• 74,000 MW of generation capacity

• 40,530 miles of transmission lines

• Electrical island with several DC Ties

• RC, BA, TOP (CFR), PC, IC, RP, TSP

ERCOT facilitates competitive markets to help achieve reliability.

ERCOT facilitates competitive markets to help achieve reliability.

Page 5 Company Logo


ERCOT Compliance Department

• Centralized Compliance Program

• Increased from two to thirteen employees

• 693, CIP and all ERCOT Protocols

• Standards Development (ballots etc.)

• All things NERC e.g. CANs, TFEs, EA

ERCOT Compliance Mission Statement:Promote ERCOT Reliability, Security and Compliance,

through Collaboration, Leadership and Expertise.

ERCOT Compliance Mission Statement:Promote ERCOT Reliability, Security and Compliance,

through Collaboration, Leadership and Expertise.

Page 6 Company Logo

The Regulatory Challenge

ERCOT

Public Utility Commission of

TexasPUCT

FERC / NERC

SSAE16 / SOXERCOT Board

F&A(Internal Audits)

Texas Reliability Entity

(Regional Entity)

DOE, DHS, EPA, NAESB

Page 7 Company Logo

Page 8 Company Logo

Page 9 Company Logo

Page 10 Company Logo

The Regulatory Challenge cont.

• Audits and Investigation Preparation

• Compliance burden on organization

• Standards Development

• Compliance with new standards and versions

• Internal Compliance and Monitoring Program

• Event Analysis Reporting and Lessons Learned

• Institutionalize recommendations

• Critical Infrastructure Protection

• Maintaining best practice / Defense in Depth

• SCADA System integrity / Smart Grid information / Mobile Devices

• CIP Standards and new versions


ERCOT Compliance Initiatives

What should the Compliance Department do?

• Compliance ‘promotes’ Reliability and Security

• Allow Subject Matter Experts to focus on improving industry, while still meeting compliance obligations (daily activities)

• Reduce duplication of regulatory efforts across the organization (one activity meets multiple regulatory requirements)

• Active Policy Monitoring and Enforcement to allow early detection and mitigation of issues, and avoid unnecessary compliance burden

• Minimize ‘Drift’ from stated expectations

• Institutionalize Recommendations, ‘Normal Practice’


ERCOT Compliance Initiatives cont.

What is the Compliance Department going to do?

• Consolidate PUCT/FERC/NERC Compliance Data Repositories

• Common regulatory evidence, sampling, reporting, event analysis, mitigation

• Implement AlertEnterprise ‘GRC’ Solution for Compliance

• NERC Reliability Standards, ERCOT Protocols, Corporate Policies, SSAE16

• Automate RSAW development, and other compliance activities

• Active Policy Monitoring and Enforcement (2013)

• Map requirements between multiple regulatory environments

• Provide Compliance Transparency

• AlertEnterprise Dashboards for Executives and Managers

• Risk/Gap/Impact analysis (AlertEnterprise ‘Risk Engine’ concept)



Additional detail on some initiatives....



AlertEnterprise/ERCOT mapping requirements between multiple regulatory environments:

- Map requirements between NERC – Protocols – Guides – Policy

- Interactive display of Requirement and document associations with master & transaction data,

- Displays Requirement association with transaction data (Assessments, Investigation, Mitigation, Self Report, Action Items, RSAW, Event Tracker) within a date range



AlertEnterprise/ERCOT NERC RSAW functionality:

- Developed for NERC RSAW creation,

- Can be applied/formatted for other regulatory requirements

- Templates with requirements and placeholders for compliance actions, SME and evidence tables

RSAW Kickoff

Requirements Mapping and

Evidence Collection

RSAW Draft Review and submission

process

NERC







AlertEnterprise/ERCOT ‘Risk Engine’ concept :

- Essentially a means to provide the association of a NERC ‘risk score’ or ‘risk categorization’ to framework items and controls

- Based on VRF, compliance history, enforcement history, NERC ranking (Top 20), self reports, mitigation plans etc.

- Benefits of assigning a ‘risk score’ to a standard and requirement will be the development of appropriate monitoring, reporting, dash-boarding, frequency of assessments, focused training, resource allocation etc.

- ERCOT vision is one of a ‘real-time’ compliance monitoring tool. Are we compliant today and what is the confidence that our controls in place are adequate, how well are we prepared to demonstrate compliance?


Thank you - Questions?

Technologies for Security and Compliance by Ken McIntyre, Ercot

Technology

ercot reliability

compliance history

compliance actions

ercot grid

tsp ercot

ercot vision

versions internal compliance

compliance summit presentation