Load Settlement Business Advisory Committee
Meeting #8
October 5th, 2006
AESO Boardroom
LSBAC Agenda (DRAFT)
October 5th, 2006, 9:00 am – 11:30 am
•
•
•
•
•
•
•
Welcome and introductions
Administrative matters
Settlement Zone Accuracy Working Group (Bob Deyl)
File Transfer Mechanism Risk Assessment (Blair Morton)
File Transfer Mechanism Backup Plan (Blair Morton)
Roles and Mandates (DOE)
Other (all)
Settlement Zone Accuracy Working Group
(Presenter: Bob Deyl)
File Transfer Mechanism (FTM) Workgroup
Risk Assessment
(Presenter: Blair Morton)
Blair Morton, ATCO Electric
Kathryn Wood, DOE
David Strayer, EPCOR
Kathy McCollum, ATCO Gas
Doug Coreman, ENMAX
Peter Graham, ENMAX
Fino Tiberi, EUB
Peter Wong, AESO
Ilgi Sultanoglu, ENMAX
Introduction
• The File Transfer Risk Assessment Workgroup
was charged with reviewing the independent
assessment done by CGI.
• The following slides summarize the workgroup’s
recommendations based on CGI’s final report.
Recommendation #1:
•
•
•
The workgroup and the independent consultant do not support replacing DC at this
time. From the risk perspective, the workgroup believes that DC can be made
acceptable through additional operational monitoring, controls, and processes. This
can be achieved through manual intervention, awareness, and avoidance of
problematic features. The workgroup does expect that a replacement will be
required in 2-3 years.
Should new risks emerge from anticipated new requirements or changes in use that
cannot be mitigated, seeking a replacement solution should be accelerated. An
example may be where automated meter reading volumes are anticipated to exceed
capabilities of Dropchute, or a significant number of market participants experiencing
data transfer problems.
From the operational perspective, the workgroup recognizes that there are limitations in
the product that do not fulfill some business needs and operational challenges that
impact reliability that the industry is being asked to accept. These are issues that must
be considered in defining future requirements for a replacement solution.
Report Recommendation:
•
‘Maintain current DropChute environment, but invest in a second FTM option.
Keeping the DropChute environment, allows stakeholders to keep costs low and
provides fair access for smaller organizations. Investing in another FTM option
provides choice for larger organizations but keeps complexity to a minimum and solves
the ‘orphan’ product problem for DropChute.’
Recommendation #2:
•
The workgroup recommends that market participants
individually address the top ten risks identified (see subrecommendations). By being more aware of the weaker
areas and features in DC, market participants can tailor their
processes and add controls to avoid or minimize risks
related to those areas.
Report Recommendation:
•
‘Mitigation plans should continue to be implemented at
the individual stakeholder level. Based on the overall
industry risk being acceptable and that mitigations are
currently being deployed for most of the top ten risks, CGI
recommends a continuation of the current DropChute
mitigation approach.’
Recommendation #2a:
•
Provide detailed clarity in enforcement for data noncompliance. Addressing this issue allows market
participants to have a more comprehensive understanding of
the penalties (financial risks) related to non-compliance.
Currently the enforcement penalties are broadly defined.
Recommendation #2b:
•
There are a number of limitations in the DC application,
which do not address some requirements related to CSOX.
The workgroup acknowledges these limitations and
recommends that market participants accept the product
limitations. The lack of functionality can be addressed by
developing additional functionality outside of the DC product.
The workgroup recommends that these limitations be
addressed in the specifications for a future replacement
mechanism.
Recommendation #2c:
•
The workgroup recommends that the industry support
development of confirmation transactions, and include
requirements for confirmation transactions in any future
replacement solution. For the short term, the workgroup
agrees that the mitigation is to increase awareness of
problem areas, avoid those operational features, increase
monitoring, and put processes in place to correct situations
where those problems emerge. Note that some market
participants have already addressed some or all of these
problem areas.
Recommendation #2d:
•
•
For the short term, accept that the current DC platform provides
an outdated level of security that poses a risk to the data.
Migration to a newer platform may appear to resolve the problem,
but may not as the DC product being unsupported on the newer
platform may not utilize any of the newer security features.
The workgroup recommends that the industry specifically
monitor and assess the severity of security risks resulting from
remaining on an unsupported platform where new patches cannot
be installed. If a market participant identifies an unacceptable risk
(i.e. unable to install a security patch), they are asked to report this
situation to the EUB. (See Recommendation #5 for EUB follow
up)
Recommendation #3:
•
The workgroup proposes that all market participants review the
findings in the report and be aware of the issues pertaining to the
DC product and features; refine their own processes to avoid
features that result in identified problems; continue to monitor areas
where these problems have been identified; and report those
problems to the EUB. The workgroup recommends that this action
be carried out immediately.
Report Recommendation:
•
‘Inform Stakeholders of DropChute behaviors identified in Lab
and evaluate fine tuning recommendations. Awareness of
specific behavior areas are the Data Persistence Delay, Script
Execution, DropChute Files, Error Dialogs and Database Size.
Please refer to the Fine tunings list in the Appendix.’
Recommendation #4:
•
Proceed with developing a backup plan for disaster
situations. Currently the industry does not have a
comprehensive or well coordinated plan for handling failures
in the data communications infrastructure. The FTM
workgroup is currently developing a plan for industry. The
workgroup recommends that the plan be ready for use by the
end of 1Q 2007.
Recommendation #5:
•
The workgroup recommends that the industry should
continue to monitor for any new risks (or problems) or
increases in the known risks with Dropchute every 4 months.
The monitoring should be established under the EUB, who is
currently collecting data on Dropchute problems related to
TBC.
Report Recommendation:
•
‘Continue to Monitor and Report - Use this risk
assessment as a baseline. It is important to monitor the
effectiveness of the risk mitigation plans and the factors that
may affect probabilities or impact.’
Recommendation #6:
•
The report recommends an overall ‘Privacy Impact Assessment’
be done. The workgroup agrees that this assessment should be
completed and coordinated between the EUB and DOE.
Report Recommendation:
•
‘The only other next step to consider, based on R6, unless already
completed, is the recommendation for an overall Privacy Impact
Assessment (PIA). The probability and impact of personal
information being disclosed to another party without consent or
being used for other purposes should be reviewed. The Alberta
PIPA (Personal Information Protection Act) and Federal PIPEDA
(Personal Information Protection and Electronic Documents Act)
are the relevant acts. Although information is encrypted enroute,
between DropChute boxes, there is the risk a wrong destination
organization could receive and interpret personal information like
addresses. A PIA was out of scope for this report but should be
considered as a next step.’
Additional Workgroup Comments:
•
The workgroup agrees with the report recommendations that
there are no immediate risks that require urgent
mitigation. The industry was concerned that with additional
TBC volumes commencing in July 2006, that there was a
risk of DC failure. Testing conducted in the review has
shown there is capacity in DC to handle additional volumes
from the TBC. No further mitigating actions are required.
Additional Workgroup Comments:
•
The report recommended that a second FTM solution be
selected and offered concurrently to DC, to reduce transition
for smaller market participants. The workgroup believes that
this would introduce complexities for the industry and
did not support that direction.
Additional Workgroup Comments:
•
The workgroup determined that recommendations pertaining
to the top 10 identified risks would be the area of focus in
this review. The industry should proceed to looking at
mitigation of the lesser priority risks after the top 10
recommendations have been addressed.
Questions?
File Transfer Mechanism (FTM) Workgroup
Backup Plan
(Presenter: Blair Morton)
Blair Morton, ATCO Electric
Kathryn Wood, DOE
David Strayer, EPCOR
Kathy McCollum, ATCO Gas
Doug Coreman, ENMAX
Peter Graham, ENMAX
Fino Tiberi, EUB
Peter Wong, AESO
Ilgi Sultanoglu, ENMAX
Introduction
•
•
•
•
•
Industry raised concern that if TBC volume risks were uncovered in
risk assessment, there would not be sufficient time to mitigate them
Workgroup proceeded to develop a backup plan, using DVDs as
the preferred data transport method
Risk assessment review identified that TBC volume risks are not as
significant a concern as first thought. Additional concerns around
congestion were also dismissed through industry tests.
Workgroup continued to develop plan, but with less urgency. Need
for an industry backup plan is a recommendation from the
independent review
Recommendations of the workgroup on a backup plan are
presented here. Further design is required before implementation
Workgroup Process
•
•
•
•
•
Defined applicable scenarios
Validated preferred DVD alternative with other alternatives
Investigated factors that need to be considered
Made recommendations where appropriate
Present recommendations to industry
What is being backed up?
•
•
•
Two scenarios are considered
•
•
Failure of communications system infrastructure
(internet)
Failure of Dropchute application
Other more disastrous situations (eg. epidemics) can occur,
but are not considered, as data transfer would be pretty
unimportant relative to other services and functions
Scenarios assume failure of other mitigation plans
•
•
Some industry parties have other risk mitigation plan in
place (service providers have backup systems,
alternative providers in place, etc)
Impact of failures may be mitigated by business
continuity plans in some organizations
Communications System Failure
Scenario
•
Internet is not available to industry – may be due to viruses
or physical problems. Industry impact - Market participants
cannot transfer data through the internet infrastructure.
•
•
•
•
Invoked when failure is expected to be for days, not
hours
Not designed for long term failures, over 3 weeks
Assumes all other support (non-communications)
infrastructure is in place (eg. resources available,
settlement systems working, power available, etc)
What backup should industry have in place?
R1 – Validate Use of DVDs
•
•
Supported as an industry preference as a backup. Some
organizations have adopted this as their own solution
Workgroup validated the DVD option with:
•
•
•
•
Dedicated services should be used as primary, not a backup.
Also quite costly to have as a backup, especially for smaller
market participants
Dialup solutions do not have the capacity and may not be
available if the internet is down
Redundant service providers are viable for larger organizations,
but may also not be available in an internet outage
The workgroup recommended that DVDs be looked at as the
primary backup solution for this scenario and pursued the option
further.
R2 – Industry Wide Implementation
•
The backup plan is intended to address industry wide
problems and not for single part problems with internet
infrastructure
•
•
Partial use would create concurrent data paths for
industry, leading to confusion and complexity
Single party is responsible for localized issues through
corporate business continuity plans
R3 – Develop Business Standards
and Requirements
•
Business standards are required to reduce confusion in this manual
process. The simpler the rules and process, the less likelihood
errors will occur. The workgroup recommends that,
•
•
•
•
All data (of one type) for the day to be burned onto a single
DVD
DVDs be sent only once per day to parties where data
exchange is required
DVD labeling standards be developed (type, to, from, date, etc)
Files naming rules be followed – file naming rules are defined in
the code, and should apply in the backup situation to allow
integration with downstream processes and applications
•
Process to maintain contact information – who to send DVD to,
address, etc.
•
Review need for delivery standards – difficult to impose, if
courier services are impacted
R4 – Develop Technical Standards
and Requirements
•
•
Workgroup identified areas that require further work by
technical experts
Technical standards
•
•
•
•
Standardize on the type/format of DVDs to be used
Hardware standards – commercial requirements?
Encryption standards
Validation standards to check that DVD contains the data
expected
R5 – Decision Criteria
•
Workgroup concluded that the EUB is in the best position to decide
when to invoke a backup plan
•
•
•
•
•
•
Communications failures will impact 3 areas (load settlement,
tariff, gas settlement) under oversight by the EUB
Single party needs to be making decisions to invoke the plan
A simple prescriptive criteria for invoking a backup plan is
difficult to define
Decision to invoke depends upon the circumstances
Judgment on the deciding party is needed is needed to
account for the situation
EUB may have other similar processes as regulators for the
energy industry. This process may tie into an already
established one.
R6 – Transaction Timing/Backdating
•
Using DVDs introduces a delay in receiving transactions and
creates problems for processing transactions which are time
sensitive (enrollments)
•
•
•
•
Some systems do not have backdating capabilities and cannot
pre-date to when the transaction should have been processed
The workgroup supports relaxation of timing rules, suspension
of enrolment timing rules, and the processing on enrolment
transactions on a ‘when received basis’.
There will be a slight impact on accuracy of results
Enrolments may not occur on the expected date, which may
impact retailers
R7 – Communications Process
•
Where there is a communications infrastructure failure, it may also
affect other types of communication that would make it difficult or
impossible for the EUB to communicate that the backup plan is
invoked
•
•
One solution supported by the workgroup is where there has a
failure, and there is no communication with the EUB, the
backup plan is ‘assumed’ to be in effect after a period of time
(24 hours).
The process and plan should be included in the codes or rules
Summary of Recommendations
•
Workgroup supports the DVD backup solution and does not see
any major impediments to implementation at this time. More
detailed work is required in various areas and will confirm this. The
workgroup has provided its recommendations on the direction for
these areas.
•
•
•
•
•
Use simple DVD process, and invoke on industry wide basis
Detail technical and business requirements, under the EUB
Develop decision criteria for invoking backup under EUB
Relax transaction timing rules to avoid backdating
The workgroup Target completion of the work by end 1Q 2007
Dropchute Application Failure
Scenario
•
Dropchute application fails but the internet infrastructure remains in
place – may be due to limitations in the application,
application/platform specific virus, platform/application
incompatibility. Industry impact - Market participants cannot
transfer data through the internet infrastructure.
•
•
•
Industry wide, this scenario is highly unlikely
Failure at one installation is more likely
DVD backup scenario may also work for this type of failure
Options Considered
•
Workgroup considered various options that continue to use the
internet for data exchange.
•
•
•
Files via email, secure FTP pickup, redundant Dropchute, and
managing transfers using Dropchute.
Industry has provided strong support for the secure FTP option
The workgroup concurs with the industry and proceeded to
investigate the option further
Secure FTP Option
•
Pros:
•
•
•
•
•
•
Uses existing communication infrastructure
Minimal disruption and cost to client sites
Similar transfer solution as Dropchute - mailbox setups
Volumes and capacity issues are easily addressed
More automated than DVD solutions
Cons:
•
•
Requires infrastructure to be in place
Requires ongoing maintenance for infrastructure and
process
Costs
•
•
Cost estimates for two types of secure FTP installations were
obtained, to provide a sense of the magnitude of the costs.
Wire Owner/LSA Hosted sites (each site):
•
•
•
•
$62,400 for UNIX Server (Approx same for Windows
w/Security)
$50,000 per year maintenance (1/2 man-year)
Based on typical server setups
Externally Hosted site (one site for industry):
•
•
•
$22,100 capital costs (UNIX)
$32,000 per year maintenance costs
Based on minimal specifications, costs will vary depending on
arrangements and requirements
Issues to be Considered
•
•
•
Cost sharing arrangements need to be worked out for
externally hosted site configuration
Wire Owner/LSA hosted sites can be used for localized
backup situations and may be combined with other backup
functions
Need a process to invoke this plan – should be called by a
regulating agency (EUB)
Summary of Recommendations
•
Workgroup summary:
•
•
•
Secure FTP solutions are viable with little impediment to
implementation, but require an initial investment of
capital and continued maintenance costs.
A DVD solution is also viable to address this situation,
but would be much more cumbersome and manual if
called upon.
The workgroup sees both approaches fairly even, and seeks
further feedback on industry preferences.
Questions?
Next Steps – Working Groups
• Request written comments on Workgroup Report
recommendations
• Agencies will consider recommendations in report
and input from industry
• Announce decision to proceed and next steps
Roles and Mandates
Transition of Rule Making Authority for SSC
(DOE)
Other Topics
Closing Out