“In God We Trust, All Others Bring Data”* Setting up Internal Controls to Know the Health of your CIP Program
October 1, 2018
*W. Edwards Deming
Agenda
Safety Topic
Governance/Ownership
Control Types
Tools
Execution
Risk Management
Feedback
2 EMMOS Conference / 10-01-2018
EMMOS Conference / 10-01-2018 3
Safety Topic Dehydration at Work
Dehydration can affect:
• Productivity, Safety, Health Care Costs and Employee Morale
• Decision making ability and cognitive performance
Symptoms of dehydration include:
• Headaches, Tiredness, Loss of Concentration
• Dry mouth, thirst, dry skin, lightheadedness
Prevention:
• Drink water at regular intervals
• Women about 8 cups per day
• Men about 10 cups per day
https://gastrolyte.com.au/dehydration/dehydration-at-work/
https://www.wcf.com/sites/default/files/SummerSafetyTHIRST.pdf
EMMOS Conference / 10-01-2018 4
Who is Evergy?
• Evergy, Inc. formed on June 4, 2018 when Westar Energy and Kansas City Power & Light merged
• Operating Company names remain during brand transition
EMMOS Conference / 10-01-2018 5
Who are we?
• Joshua Roper
• Director, FERC & NERC Compliance
• KCP&L and Westar, Evergy Companies
• Chris Unton
• Practice Lead, Security & Compliance
• Utilicast
EMMOS Conference / 10-01-2018 6
Evergy NERC Program Principles
• NERC compliance is the foundation of the reliability and security program for the Company.
• Good practices/process should result in compliance as a byproduct.
• Implement sustainable solutions that meet the reliability and security intent of the NERC requirements. Utilize technology where appropriate to automate tasks.
• Develop management practices (controls) to provide reasonable assurance our processes are operating correctly and enable continuous improvement.
EMMOS Conference / 10-01-2018 7
Evergy NERC Program Governance Structure and Roles
Accountable
Officers
FE
RC
& N
ER
C C
om
pli
an
ce
• Management of Risk
• Monitor Implementation Plans
• Support Monitoring Program
• Prioritize Resources
• Oversight for CIP Quality Control
• Escalation (compliance failures, operational collisions)
• Governance of NERC Ops & Planning, NERC CIP
• Strategic Prioritization
• Escalation (compliance failures, operational collisions)
Standard
Owners
Requirement
Owners
Qu
ali
ty C
on
tro
l • Standards/Requirements Interpretations
• Execution and Enforcement of NERC compliance posture (SME)
• 1 lead SME, plus business unit support as necessary
• Support during audits
• Awareness of business unit differences in compliance posture
(where applicable)
• Control Owner
Federal Regulatory Committee
Standard and
Requirement
Owner Meetings
NERC
Compliance
Implementation
Steering
Committee
Energy
Regulatory
Committee
EMMOS Conference / 10-01-2018 8
Ownership Example
• Owners are posted on company SharePoint site for easy reference
• Clear line of sight for responsibilities and accountability
EMMOS Conference / 10-01-2018 9
Defining Internal Controls
• Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf
• For CIP, our target is 100% process effectiveness as it only takes a single opening for an attacker to exploit, and the NERC CIP Standards rely on a zero tolerance model
• Where possible, we layer controls to achieve increased assurance that we are meeting the requirement (defense in depth)
EMMOS Conference / 10-01-2018 10
Preventative Controls
• CIP-004 R2/R3 Training / PRA check within Access Request system
• Can’t submit a NERC access request if you’re not “green”
• CIP-003 R3/R4 Check for CIP Senior Manager changes
• Every 30 days: proactively ask if changes were made
• Policy/Process/Procedure
• Unwritten rules are hard to follow
CIP Delegation
CIP
Pro
gram
M
anag
erD
eleg
ate
Req
ues
ter
CIP
Se
nio
r M
anag
erC
EO
Submit delegate request to CIP
Program Manager
Notified that current delegate has or is
leaving the company
Asses if topic is allowed to
delegate?
Does CIP Sr. Mgr want
to delegate?
Determine delegateNotify delegate via
email.Update CIP Senior
Manager Document
Yes
Yes
End
No
No
Approve Delegate?
No Yes
Sign CIP Senior Manager Document
Sign CIP Senior Manager Document
Sign CIP Senior Manager Document
Document updates needed?
No
Yes
EMMOS Conference / 10-01-2018 11
Detective Controls
• CIP-007 R4 Splunk heartbeats
• CIP-010 R1 Change
Management ticket reviews
EMMOS Conference / 10-01-2018 12
Corrective Controls
• Annual document reviews
• Incident tickets to respond to
baseline deviations
EMMOS Conference / 10-01-2018 13
Manual vs. Automated controls
• Automated is preferred, but it’s only good if someone is reviewing the output. Automated is also more expensive upfront, but can pay off over time due to lower labor expense, increased accuracy, and lower risk.
• Balance risk / cost of implementation / frequency of execution
vs.
EMMOS Conference / 10-01-2018
Build Inventory Activate Operate Evaluate Retire
14
Controls Structures
• Controls Matrix
• 245 active CIP controls – list is dynamic
• Controls Life Cycle
EMMOS Conference / 10-01-2018 15
Tool Support
• Custom task workflow/reminder system (CIDR)
• SharePoint based document storage
EMMOS Conference / 10-01-2018 16
Setting up a recurring task reminder
EMMOS Conference / 10-01-2018 17
Task owner receives an alert when due, escalations built into the workflow
EMMOS Conference / 10-01-2018 18
You’re only as good as your last test
• Quarterly and annual control effectiveness tests performed by FERC & NERC Assurance team (second line of defense)
• Record sampling or 100% testing as dictated by the control
• Results stored to assist with NERC self certification and other internal tasks
EMMOS Conference / 10-01-2018 19
Risk Assessment
• Control design and control monitoring activities are based on risk
• Annual self checks on risk position
• Focus on high volume, complex and manual processes
EMMOS Conference / 10-01-2018 20
Residual Risk Analysis - CIP
Standard KCPL
Registration
Westar
Registration
CIP-002-
5.1 Example Example
CIP-003-6 Example Example
CIP-004-6 Example Example
CIP-005-5 Example Example
CIP-006-6 Example Example
CIP-007-6 Example Example
Standard KCPL
Registration
Westar
Registration
CIP-008-5 Example Example
CIP-009-6 Example Example
CIP-010-2 Example Example
CIP-011-2 Example Example
CIP-013-1
(not final) TBD TBD
CIP-014-2 Example Example
EMMOS Conference / 10-01-2018 21
Feedback