Page 1 Company Logo
2012 Technologies for Security and Compliance Summit
August 2012Austin, Texas
Ken McIntyre
Director Standards and Protocol Compliance
Electric Reliability Council Of Texas
Page 2 Company Logo
2012 Technologies for Security and Compliance Summit
Presentation:
• Electric Reliability Council of Texas
• The Regulatory Challenge
• ERCOT Compliance Initiatives
Page 3 Company Logo
Electric Reliability Council Of Texas (ERCOT)
ERCOT Responsibilities
• System Reliability
• Open and Competitive Markets
• Congestion Management
• Network Modeling
Page 4 Company Logo
Electric Reliability Council Of Texas (ERCOT)
Key Features of the ERCOT Grid
• Represents 85% of Texas Load
• 74,000 MW of generation capacity
• 40,530 miles of transmission lines
• Electrical island with several DC Ties
• RC, BA, TOP (CFR), PC, IC, RP, TSP
ERCOT facilitates competitive markets to help achieve reliability.
ERCOT facilitates competitive markets to help achieve reliability.
Page 5 Company Logo
Electric Reliability Council Of Texas (ERCOT)
ERCOT Compliance Department
• Centralized Compliance Program
• Increased from two to thirteen employees
• 693, CIP and all ERCOT Protocols
• Standards Development (ballots etc.)
• All things NERC e.g. CANs, TFEs, EA
ERCOT Compliance Mission Statement:Promote ERCOT Reliability, Security and Compliance,
through Collaboration, Leadership and Expertise.
ERCOT Compliance Mission Statement:Promote ERCOT Reliability, Security and Compliance,
through Collaboration, Leadership and Expertise.
Page 6 Company Logo
The Regulatory Challenge
ERCOT
Public Utility Commission of
TexasPUCT
FERC / NERC
SSAE16 / SOXERCOT Board
F&A(Internal Audits)
Texas Reliability Entity
(Regional Entity)
DOE, DHS, EPA, NAESB
Page 7 Company Logo
Page 8 Company Logo
Page 9 Company Logo
Page 10 Company Logo
The Regulatory Challenge cont.
• Audits and Investigation Preparation
• Compliance burden on organization
• Standards Development
• Compliance with new standards and versions
• Internal Compliance and Monitoring Program
• Event Analysis Reporting and Lessons Learned
• Institutionalize recommendations
• Critical Infrastructure Protection
• Maintaining best practice / Defense in Depth
• SCADA System integrity / Smart Grid information / Mobile Devices
• CIP Standards and new versions
Page 11 Company Logo
ERCOT Compliance Initiatives
What should the Compliance Department do?
• Compliance ‘promotes’ Reliability and Security
• Allow Subject Matter Experts to focus on improving industry, while still meeting compliance obligations (daily activities)
• Reduce duplication of regulatory efforts across the organization (one activity meets multiple regulatory requirements)
• Active Policy Monitoring and Enforcement to allow early detection and mitigation of issues, and avoid unnecessary compliance burden
• Minimize ‘Drift’ from stated expectations
• Institutionalize Recommendations, ‘Normal Practice’
Page 12 Company Logo
ERCOT Compliance Initiatives cont.
What is the Compliance Department going to do?
• Consolidate PUCT/FERC/NERC Compliance Data Repositories
• Common regulatory evidence, sampling, reporting, event analysis, mitigation
• Implement AlertEnterprise ‘GRC’ Solution for Compliance
• NERC Reliability Standards, ERCOT Protocols, Corporate Policies, SSAE16
• Automate RSAW development, and other compliance activities
• Active Policy Monitoring and Enforcement (2013)
• Map requirements between multiple regulatory environments
• Provide Compliance Transparency
• AlertEnterprise Dashboards for Executives and Managers
• Risk/Gap/Impact analysis (AlertEnterprise ‘Risk Engine’ concept)
Page 13 Company Logo
ERCOT Compliance Initiatives cont.
Additional detail on some initiatives....
Page 14 Company Logo
ERCOT Compliance Initiatives cont.
AlertEnterprise/ERCOT mapping requirements between multiple regulatory environments:
- Map requirements between NERC – Protocols – Guides – Policy
- Interactive display of Requirement and document associations with master & transaction data,
- Displays Requirement association with transaction data (Assessments, Investigation, Mitigation, Self Report, Action Items, RSAW, Event Tracker) within a date range
Page 15 Company Logo
ERCOT Compliance Initiatives cont.
AlertEnterprise/ERCOT NERC RSAW functionality:
- Developed for NERC RSAW creation,
- Can be applied/formatted for other regulatory requirements
- Templates with requirements and placeholders for compliance actions, SME and evidence tables
RSAW Kickoff
Requirements Mapping and
Evidence Collection
RSAW Draft Review and submission
process
NERC
Page 16 Company Logo
ERCOT Compliance Initiatives cont.
Page 17 Company Logo
ERCOT Compliance Initiatives cont.
Page 18 Company Logo
ERCOT Compliance Initiatives cont.
AlertEnterprise/ERCOT ‘Risk Engine’ concept :
- Essentially a means to provide the association of a NERC ‘risk score’ or ‘risk categorization’ to framework items and controls
- Based on VRF, compliance history, enforcement history, NERC ranking (Top 20), self reports, mitigation plans etc.
- Benefits of assigning a ‘risk score’ to a standard and requirement will be the development of appropriate monitoring, reporting, dash-boarding, frequency of assessments, focused training, resource allocation etc.
- ERCOT vision is one of a ‘real-time’ compliance monitoring tool. Are we compliant today and what is the confidence that our controls in place are adequate, how well are we prepared to demonstrate compliance?
Page 19 Company Logo
Thank you - Questions?
