“In God We Trust, All Others Bring Data”* God We Trust Josh... · 2018-10-31 · Power & Light...

“In God We Trust, All Others Bring Data”* Setting up Internal Controls to Know the Health of your CIP Program

October 1, 2018

*W. Edwards Deming

Agenda

Safety Topic

Governance/Ownership

Control Types

Tools

Execution

Risk Management

Feedback

2 EMMOS Conference / 10-01-2018

EMMOS Conference / 10-01-2018 3

Safety Topic Dehydration at Work

Dehydration can affect:

• Productivity, Safety, Health Care Costs and Employee Morale

• Decision making ability and cognitive performance

Symptoms of dehydration include:

• Headaches, Tiredness, Loss of Concentration

• Dry mouth, thirst, dry skin, lightheadedness

Prevention:

• Drink water at regular intervals

• Women about 8 cups per day

• Men about 10 cups per day

https://gastrolyte.com.au/dehydration/dehydration-at-work/

https://www.wcf.com/sites/default/files/SummerSafetyTHIRST.pdf






https://www.wcf.com/sites/default/files/SummerSafetyTHIRST.pdf


Who is Evergy?

• Evergy, Inc. formed on June 4, 2018 when Westar Energy and Kansas City Power & Light merged

• Operating Company names remain during brand transition


Who are we?

• Joshua Roper

• Director, FERC & NERC Compliance

• KCP&L and Westar, Evergy Companies

• Chris Unton

• Practice Lead, Security & Compliance

• Utilicast


Evergy NERC Program Principles

• NERC compliance is the foundation of the reliability and security program for the Company.

• Good practices/process should result in compliance as a byproduct.

• Implement sustainable solutions that meet the reliability and security intent of the NERC requirements. Utilize technology where appropriate to automate tasks.

• Develop management practices (controls) to provide reasonable assurance our processes are operating correctly and enable continuous improvement.


Evergy NERC Program Governance Structure and Roles

Accountable

Officers

FE

RC

& N

ER

C C

om

pli

an

ce

• Management of Risk

• Monitor Implementation Plans

• Support Monitoring Program

• Prioritize Resources

• Oversight for CIP Quality Control

• Escalation (compliance failures, operational collisions)

• Governance of NERC Ops & Planning, NERC CIP

• Strategic Prioritization

• Escalation (compliance failures, operational collisions)

Standard

Owners

Requirement

Owners

Qu

ali

ty C

on

tro

l • Standards/Requirements Interpretations

• Execution and Enforcement of NERC compliance posture (SME)

• 1 lead SME, plus business unit support as necessary

• Support during audits

• Awareness of business unit differences in compliance posture

(where applicable)

• Control Owner

Federal Regulatory Committee

Standard and

Requirement

Owner Meetings

NERC

Compliance

Implementation

Steering

Committee

Energy

Regulatory

Committee


Ownership Example

• Owners are posted on company SharePoint site for easy reference

• Clear line of sight for responsibilities and accountability


Defining Internal Controls

• Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf

• For CIP, our target is 100% process effectiveness as it only takes a single opening for an attacker to exploit, and the NERC CIP Standards rely on a zero tolerance model

• Where possible, we layer controls to achieve increased assurance that we are meeting the requirement (defense in depth)





Preventative Controls

• CIP-004 R2/R3 Training / PRA check within Access Request system

• Can’t submit a NERC access request if you’re not “green”

• CIP-003 R3/R4 Check for CIP Senior Manager changes

• Every 30 days: proactively ask if changes were made

• Policy/Process/Procedure

• Unwritten rules are hard to follow

CIP Delegation

CIP

Pro

gram

M

anag

erD

eleg

ate

Req

ues

ter

CIP

Se

nio

r M

anag

erC

EO

Submit delegate request to CIP

Program Manager

Notified that current delegate has or is

leaving the company

Asses if topic is allowed to

delegate?

Does CIP Sr. Mgr want

to delegate?

Determine delegateNotify delegate via

email.Update CIP Senior

Manager Document

Yes

Yes

End

No

No

Approve Delegate?

No Yes

Sign CIP Senior Manager Document



Document updates needed?

No

Yes


Detective Controls

• CIP-007 R4 Splunk heartbeats

• CIP-010 R1 Change

Management ticket reviews


Corrective Controls

• Annual document reviews

• Incident tickets to respond to

baseline deviations


Manual vs. Automated controls

• Automated is preferred, but it’s only good if someone is reviewing the output. Automated is also more expensive upfront, but can pay off over time due to lower labor expense, increased accuracy, and lower risk.

• Balance risk / cost of implementation / frequency of execution

vs.

EMMOS Conference / 10-01-2018

Build Inventory Activate Operate Evaluate Retire

14

Controls Structures

• Controls Matrix

• 245 active CIP controls – list is dynamic

• Controls Life Cycle


Tool Support

• Custom task workflow/reminder system (CIDR)

• SharePoint based document storage


Setting up a recurring task reminder


Task owner receives an alert when due, escalations built into the workflow


You’re only as good as your last test

• Quarterly and annual control effectiveness tests performed by FERC & NERC Assurance team (second line of defense)

• Record sampling or 100% testing as dictated by the control

• Results stored to assist with NERC self certification and other internal tasks


Risk Assessment

• Control design and control monitoring activities are based on risk

• Annual self checks on risk position

• Focus on high volume, complex and manual processes


Residual Risk Analysis - CIP

Standard KCPL

Registration

Westar

Registration

CIP-002-

5.1 Example Example

CIP-003-6 Example Example





Standard KCPL

Registration

Westar

Registration





CIP-013-1

(not final) TBD TBD



Feedback

Date post:	15-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times