Add to collection(s) Add to saved
  1. Business

Inherent Risk Assessment Survey - Western Electricity Coordinating

advertisement 
Inherent Risk Assessment (IRA) Survey
[Entity Name][ACRO]
NCR#
Month Day, Year
155 North 400 West, Suite 200
Salt Lake City, Utah 84103-1114
Table of Contents
Purpose ................................................................................................................................................... 1
Instructions ............................................................................................................................................. 1
Organizational Profile ................................................................................................................................. 1
Agreements ................................................................................................................................................. 2
Risk Assessment .......................................................................................................................................... 2
Generation .............................................................................................................................................. 2
Transmission ........................................................................................................................................... 3
Load ......................................................................................................................................................... 4
Planning................................................................................................................................................... 4
Operations .............................................................................................................................................. 7
Events ...................................................................................................................................................... 9
Changes to the System ........................................................................................................................... 9
Critical Infrastructure Protection (CIP) ..................................................................................................... 10
Facility and BCS Identification .............................................................................................................. 10
Identity and Access Management ........................................................................................................ 11
Cyber Security Incidents ....................................................................................................................... 11
System Management ............................................................................................................................ 11
IRA Survey Certification ............................................................................................................................ 12
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
1
Purpose
The information requested herein will help Western Electricity Coordinating Council (WECC) determine
the level of the specific risks inherent to your Registered Entity in relation to the Bulk Electric System.
WECC will use this information to compile the Inherent Risk Assessment (IRA) Report. The IRA report is
a tool used by WECC to help select the appropriate compliance monitoring tools and develop a
Compliance Oversight Plan (COP) for your Registered Entity. The IRA report may also affect the
frequency of monitoring. The IRA will be a living document and will be reviewed periodically by WECC.
Instructions
Please provide a response to this survey, as applicable to your organization and registered functions,
no later than 120 days prior to your next audit or 170 days prior if your Registered Entity is
participating in an ICE. If you have any questions related to this survey, please email
reoversight@wecc.biz. Upon completion, please upload the survey to the Enhance File Transfer (EFT)
server to the “risk analysis” folder.
Organizational Profile
1. What is the official name of the company responsible for complying with NERC Reliability
Standards?
2. Is your Entity and/or Corporate Affiliate currently listed on the NERC Compliance Registry in more
than one Region? If yes, please provide the following:
1. Please indicate each Region in which the Entity operates and/or owns facilities.
2. If your Entity is currently under a formal Multi-Regional Registered Entity (MRRE)
Coordinated Oversight Plan, please provide the following:
i. Lead Regional Entity (LRE):
ii. Affected Regional Entity (ARE):
3. Provide a high-level description of your parent company’s organization and structure. Please
include an organizational chart with detail showing the NERC Compliance officer position or role.
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
2
Agreements
1. Does your Entity have any Coordinated Functional Registration (CFR) agreements, Joint Registration
Organization (JRO) agreements, other delegation agreements, interconnection agreements,
assignment agreements and/or contracts which transfer or share compliance related tasks with
another Registered Entity or which transfer or share NERC compliance responsibility from other
entities to you? (Applicable to all registered functions) If yes,
a. Please provide a copy of all agreements.
b. Please list the delegated tasks, the entity responsible for performance, and/or the entity
responsible for demonstrating NERC compliance and reference the associated delegation
agreement.
Risk Assessment
1. Does your entity staff conduct risk assessments pertaining to Bulk Electric System (BES) reliability?
If so, please provide the following:
a. Risk assessment methodology
b. Frequency of risk assessment
c. A summary of the most recent risk assessment
i. What were the highest risks identified in your risk assessment?
2. For each risk area identified as medium to high risk (if any), how is your entity managing the risk?
3. Please list any seasonal reliability risks that you have identified. (Applicable to BA,TP, and TOP
registered functions)
Generation
1. Please provide the following generation details for wholly or jointly owned BES generators by your
Registered Entity. For jointly owned generators, please indicate the percentage of ownership:
(Applicable to GO and GOP registered functions)
Generation
Facility
Name
W
Name
Plate
Rating for
each unit
E S T E R N
E
Type of
Generation
(Hydro, Wind,
Gas, Combined
Cycle, Co-Gen,
Nuclear, Steam,
Solar)
L E C T R I C I T Y
Wholly or
Jointly Owned
C
High side
Voltage
Low Side
Voltage
O O R D I N A T I N G
C
Facility use
(Base load,
Peaking,
Reserve
sharing, etc.)
O U N C I L
IRA Survey
3
2. Are any of the generation facilities listed above identified as a Blackstart Resource in your or your
TOP or RC’s restoration plan? (Applicable to GO, TOP or RC)
a. If yes, please list which facilities are Blackstart Resources.
b. If the unit is only used for Blackstart and is not in regular use, are routine maintenance and
inspections performed?
c. Since the last audit, have your Blackstart units experienced any curtailments, forced outages
or failures to start when tested?
3. What is the total generation capacity (in MW) including non-BES and including Independent Power
Producers (IPP) in your footprint)? (Applicable to RC, BA, TOP, GO and GOP registered functions)
Please separate the generation by type (e.g. Hydro, Wind, Solar, Gas, and Combine Cycle).
4. How much aggregate generation in your footprint is not scheduled or controllable by the BA, i.e.
roof top solar or privately owned non-metered generation? (Applicable to BA registered function)
5. Do you have any generating units, either wholly or jointly owned that are physically located in
another Balancing Authority (BA) footprint. (Applicable to GO and GOP registered functions) If yes,
a. Provide names and locations of each generating unit.
b. For each generating unit that is physically located in another BA footprint, please identify
how your Entity has considered those units in its risk assessment.
Transmission
1. Please provide a geographical and electrical description of your system and include the following
information:
a. Voltage levels (Applicable to DP, TO and TOP registered functions)
b. Number of miles at each transmission voltage level (Applicable to DP, TO, and TOP
registered functions)
c. Number of interconnection points (point of connection with other entity), with whom, and
at what voltage level (Applicable to TO, DP, TOP, and BA registered functions)
d. Geographical terrain where the transmission lines are located (e.g. the transmission lines
are located on plains with minimal vegetation growth or the transmission lines are on
rugged terrain with wet lands, low growth rate vegetation, lakes, rivers or the transmission
lines are located in terrain with high vegetation growth rate, dense forests, etc.) (Applicable
to TO and GO registered functions)
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
4
e. Do you have specific BES assets (Transmission Lines, Generators, Transformers, etc.) in your
system that are considered medium to high risk (in terms of the level of impact of these
facilities to the BES)? (Applicable to TO, TOP, BA, GO, and GOP registered functions)
i. If yes, please list the assets.
ii. For each asset identified, please describe why you have identified these assets as
medium to high risk.
Load
1. Please provide your system peak load that occurred since the completion of your last audit. If this
value is less than the peak load identified at your last audit, please indicate.
2. Since the completion of your last audit, has there been any change in your load profile?
3. Do you anticipate any changes to your load profile in the next three years?
a. If yes, please describe the changes. (Applicable to BA, TOP, and DP registered functions)
4. Since the completion of your last audit, did you experience a manual or automatic firm load shed?
If yes, please provide: (Applicable to TO,TOP, and DP registered functions)
a. The date and location of each instance of load shedding.
b. The amount of load that was shed each time.
c. Whether it resulted from a UFLS or a UVLS trip.
5. In the operating horizon do you calculate generation reserve margin?
a. If yes, please provide the regulating reserve margin you maintain. (Applicable to BA
registered function)
Planning
1. Whose Balancing Authority Area(s) do you operate in? (Applicable to TOP, DP, GO, GOP, TO, TP, PA,
and TSP registered functions)
a. Has your operational BA changed since last audit? If yes, please explain.
2. Do you have a formal process to identify entities that should be within your Planning Authority
Area? (Applicable to PA or PC registered functions)
3. Please list the names of all NERC registered entities for which your company performs the Planning
Authority (PA), Transmission Planner (TP) or Resource Planner (RP) functions. (Applicable to PA, TP,
and RP registered functions)
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
5
4. Who have you identified as your Planning Authority? (Applicable to TOP, DP, GO, GOP, TO, TP, and
TSP registered functions)
a. Has there been a change in your PA since the last audit? If yes, please explain.
5. In your transmission planning model, do you model any information or facilities of your
neighboring Planning Authority? (Applicable to PA or PC registered functions)
6. In your transmission planning model, do you model information or facilities of your neighboring
entity even though the neighboring entity is not within your Planning Authority Area? (Applicable
to PA, PC or TP)
7. Whose transmission operating area do your facilities reside within? (Applicable to DP, GO, GOP, TO,
TP, and TSP)
8. For Planning Assessments, do you use a WECC Base Case or develop your own Base Case?
9. Please provide a list of WECC Major Transfer Path elements/facilities owned or operated by your
entity. (Applicable to TO, GO, and TOP registered functions)
a. Please list the rating of the Major Transfer Path(s) and main purpose of that path.
10. Has the RC and/or PA identified any established Interconnection Reliability Operating Limits (IROLs)
in your system? (Applicable to PA, TP, TOP, TO, RC, GO registered functions) If yes:
a. Please list all IROLs
b. Have you identified any IROLs in the planning horizon?
c. Have you identified any IROLs in the operating horizon?
11. List any models and/or tools used for real time operation analysis. (Applicable to TP, BA, GOP, and
TOP registered functions)
a. How do those models or tools interface with models used by transmission planners in the
planning horizon?
12. Do you use Peak RC’s Hosted Advanced Applications for Real Time Contingency Analysis (RTCA)?
13. Do you have your own tool for RTCA?
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
6
14. Do you have a formal process to ensure operational models and planning models have the same
modeling assumptions and both the models are in sync, that is both being updated with changes to
the system and using the same assumptions?
15. On a daily basis, do you perform any type of planning studies to understand system conditions and
develop pre-contingency actions?
16. Please provide an overview diagram of your system. This could be a simple diagram representing
your footprint and interconnections with your neighbors. (All Registered functions)
17. Please provide a copy of your current annual TPL assessments.
18. Please provide details of Special Protection Schemes (SPS) and/or Remedial Action Schemes (RAS)
owned and/or maintained by your entity. (Applicable to TO, TOP, GO, and DP registered functions)
a. Please identify if the SPS is owned or maintained by you and if you classify them as Local
Area Protection Scheme (LAPS), Wide Area Protection Scheme (WAPS) or Safety Net.
b. Please include in the description your responsibility for operation and/or maintenance of
SPS/RAS components.
c. How often does your Planning group review the design of your SPS/RAS, or the SPS/RAS
that affects your Entity’s system?
d. Are any of the SPS/RAS elements you own or maintain included in protection systems for a
WECC Major Transfer Path?
e. What is the main function of the SPS/RAS owned or operated by you? Are they for:
i. Post Transient Voltage stability
ii. Thermal Overload
iii. Other, please specify
f. How many times since your last audit have SPS operated?
19. Do you own, maintain, or operate SPS or RAS devices that belong to another NERC-registered
entity? (Applicable to TO, TOP, GO and DP registered functions) If so, please answer the following
questions:
a. How do you coordinate with each Entity?
b. How do you manage potential risks with each Entity?
20. Do you own or maintain Under Frequency Load Shedding (UFLS) devices? (Applicable to TO, and DP
registered functions) If yes,
a. How many UFLS devices do you own?
b. Are the devices under a common control system owned by you?
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
7
c. How much load is shed if each UFLS device operates? (i.e., if you own nine devices, each
capable of shedding 10 MW of load, you could potentially shed 90 MW of load if all nine
operated)
d. Describe the purpose of the UFLS program (i.e., local equipment protection or part of the
WECC off-nominal frequency program)
e. Since your last audit, when did your UFLS device(s) operate?
21. Do you own or maintain Under Voltage Load Shedding (UVLS) devices? (Applicable to TO and DP
registered functions) If yes,
a. How many UVLS devices?
b. Are the devices under a common control system owned by you?
c. How much load will be shed if each UVLS device operates?
d. Describe the purpose of the UVLS program (i.e., local equipment protection or to prevent
voltage collapse or voltage instability)
e. Since the last audit, when did your UVLS device operate?
Operations
1. Do you own assets that are used for the delivery of energy? Are any of these assets connected at
100kV or above? If yes, describe the operations and maintenance responsibility of those assets.
(Applicable to DP registered function)
2. Since last audit did you have any Misoperations on elements/facilities of a WECC path or WECC
Major Transfer Path?
3. Do you have a formal root cause analysis process for reviewing all Protection System
Misoperations? (Applicable to TO, DP, and GO registered functions)
a. If yes, please provide a copy of your root cause analysis process.
b. Is this the same process that would be used for event analysis?
4. Since the completion of your last audit, were there any relay or equipment failures on your system
that impacted the reliability of your BES? (Applicable to DP, GO and TO registered functions) If yes,
please answer the following questions:
a. List all relay or equipment failures.
b. What was the cause of such failures, including causes that are indeterminate or unknown?
c. Was any of the equipment in scope associated with an area identified as high risk during
your risk assessment?
d. What actions did you take to correct the problem and to prevent reoccurrence?
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
8
e. Please explain if any trends were identified.
f. Please detail any lessons learned.
5. Please describe your maintenance for Major BES equipment (e.g. transformers, circuit breakers,
insulators, circuit switchers, generators, turbines, etc.) (Applicable to GO and TO registered
functions)
6. Do you have a policy for maintaining spares for critical BES equipment? (Applicable to GO and TO
registered functions)
7. Since the completion of your last audit, did you have any incidents or situations where System
Operating Limits (SOLs) were exceeded other than momentary excursion (e.g. less than five
minutes)? (Applicable to RC, TOP, BA, TP, PA and GOP registered functions) For each SOL that was
exceeded:
a. Please provide the number of times SOL was exceeded more than five minutes.
b. Identify the duration of the SOL exceedance.
c. Were there any directives and/or operating instructions issued to mitigate the exceedance?
d. What actions did you take to correct the problem and to prevent future recurrence?
8. For PRC-005-2, are you using a Performance-based methodology for any Protection System device
maintenance?
a. For any protective devices not covered under Version 1 that are now covered under Version
2, what is your process to ensure that these devices are maintained and tested according to
your Protection System Maintenance Program (PSMP) maintenance and testing program?
9. Are you a participant of a Reserve Sharing Group (RSG)? (Applicable to BA registered functions)
a. If yes, please list the name of the RSG you are participating in.
b. How do you ensure reserves will be available when called upon by the RSG?
c. Can you maintain any operating or contingency reserves independently without reliance
upon an RSG, if required? Please explain.
10. How many NERC Certified System Operators are employed at your organization? (Applicable to RC,
BA, and TOP registered functions)
a. What is the annual turnover rate for System Operators within your organization?
b. What risks have you identified pertaining to System Operators? (e.g. aging workforce,
experience of new Operators)
c. Do you take any specific steps to ensure you have an adequate number of trained system
operators?
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
9
d. When hiring a new System Operator, how many years of previous experience in that role is
desired?
11. How many Relay Technicians, including Apprentice Relay Technicians do you employ? (Applicable
to TO, GO, and DP registered functions)
a. What is the annual turnover rate for Relay Technicians within your organization?
b. What risks have you identified pertaining to Relay Technicians? (e.g. aging workforce,
experience of new Technicians)
c. Do you take any specific steps to ensure you have an adequate number of trained Relay
Technicians?
d. When hiring a new Relay Technician, how many years of previous experience in that role is
desired?
Events
1. Since the completion of your last audit, please list all system emergencies including the date, time
and location. For the purposes of this question please consider “emergencies” as any events or
conditions which meet the definition of Emergency in the NERC Glossary of Terms, meet the
reporting thresholds of EOP-004, an operator declared emergency, or any condition where your
system operators were operating in accordance with any emergency procedures you have
established. (Applicable to all registered functions)
2. If your Registered Entity experienced a Category 11 event or higher, did you perform a compliance
self-assessment? (Applicable to all registered functions)
3. Since the completion of your last audit, have there been any Cyber Security Incidents?
a. If so, please provide a brief narrative including the date, time, location, and summary of the
events. (Applicable to all registered functions)
4. Explain how physical and logical threats to your system are identified for BES Cyber Systems (BCS)?
a. What physical and logical threats have you identified?
Changes to the System
1. Please list all neighboring entities. (Applicable to all functions)
1
See Compliance Assessments for Events and Disturbances: 2016 ERO Enterprise Compliance and Enforcement Program
Implementation Plan
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
10
2. Since the completion of your last audit, did you implement any changes to the generation,
transmission, load or operating conditions that could require changes in the Protection System of
neighboring entities? (Applicable to GO, GOP, TO, TOP, and DP registered functions) If yes,
a. Since your last audit, how many times were changes made that would require your
neighboring entities to change their Protection System?
b. How many neighboring entities were impacted by the changes?
c. How did you coordinate and communicate any changes with your neighboring entities?
3. Since the completion of your last audit, did you add any new Protection Systems or make changes
to the existing Protection Systems? (Applicable to GOP, and TOP registered functions)
a. What is your policy for retiring and replacing Protection System devices?
4. Since the completion of your last audit, please describe any changes in your system such as:
(Applicable to all registered functions)
a. New generation projects completed or in progress.
b. New transmission projects completed or in progress.
c. Any BES equipment decommissioned or removed from service.
d. Any footprint change due to exchange of assets, company mergers, or delegation
agreements.
e. Any other changes to the system that your Entity has considered in its assessment of risk.
Critical Infrastructure Protection (CIP)
CIP Version 5
Facility and BCS Identification
1. How many High Impact facilities have you identified?
a. What criteria in CIP 002-5.1 Attachment 1 applies?
b. How many BES Cyber Assets (BCA) are at each facility?
c. How many BES Cyber Systems (BCS) are each facility?
d. How many Protected Cyber Assets (PCA) have been identified for each BCS Electronic
Security Perimeter (ESP)?
2. How many Medium Impact facilities have you identified?
a. What criteria in CIP 002-5.1 Attachment 1 applies?
b. How many BCA are at each facility?
c. How many BCS have been identified?
d. How many PCA have been identified for each BCS ESP?
e. Specify if the facilities are Control Centers, have dial-up connectivity, or have External
Routable Connectivity (ERC).
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
11
3. How many Low Impact BES facilities have you identified?
4. How many shared facilities do you own or operate that have High or Medium Impact BES Cyber
Systems? If High and/or Medium BES facilities are shared,
a. Please list all assets and locations of such assets.
b. Who is responsible for maintaining these assets?
c. Please describe how you manage the risk of such assets collaboratively with the other
Registered Entities.
Identity and Access Management
1. How many external personnel (non-employees such as contractors, vendors, etc.) have access to
BCS?
2. How many authorized personnel have logical access to BCS?
3. How many authorized personnel have physical access to BCS?
4. How many total authorized personnel have access to BCS?
5. Do you allow external interactive access to any BCS?
a. If so, which remote access technologies do you use?
Cyber Security Incidents
1. Have you identified or assessed potential cyber threats (internal or external) that apply to your
organization? If so, which threats have been identified?
a. What is the potential likelihood and impact of these threats?
2. Is external service provider activity monitored to detect potential cyber security incidents?
3. Do you have any Low, Medium, and/or High Impact BCS devices which are currently impacted by
any NERC Alerts? If so, which NERC Alerts and which devices?
System Management
1. What operating systems are used by BCA, PCA, Electronic Access Control or Monitoring Systems
(EACMS) and Physical Access Control Systems (PACS) components, as applicable, within each BCS?
a. If you are using legacy software or hardware,
i. Do you still have vendor support for those systems?
ii. What is your plan to replace the legacy systems?
2. Who is your EMS/SCADA vendor?
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
12
a. Is your EMS/SCADA software the most current version approved/released by the vendor? If
not, how many versions have been approved /released since your last EMS/SCADA
upgrade?
b. How many software versions does your EMS/SCADA vendor support (i.e., current version
only, current version and one previous version, etc.)?
c. What platform are you running EMS/SCADA on? Is this different from the platform
recommended by your vendor?
3. How many ESP access points do you have? Please include the types and vendors of each access
point.
4. Do you have any virtualized environments within your ESPs?
a. If so, how many and which virtualization technologies do you use?
5. How many Physical Security Perimeters (PSPs) have you identified?
a. How many PSPs are in each facility?
b. In miles, how geographically dispersed are the facilities containing PSPs?
6. Have there been any changes to the design or access points of existing PSPs since your last CIP
audit?
7. Have you identified any threats which apply to your PSPs/Facilities?
8. How many ESPs have you identified?
9. Have there been any changes to your ESP since the last audit?
a. If so, please describe the change (upgraded systems from a.x to b.a, upgraded systems from
a.x to a.y, put in a whole new system, replaced a system with a similar system on a different
platform, etc.)
10. Does your company have a Bring Your Own Device (BYOD), or similar, policy for CIP facilities?
a. If so, please describe your policy, including any details about what employees can/cannot
do with personal devices, consequences, etc.
IRA Survey Certification
By signing below the entity Compliance Contact or equivalent affirms that the information provided to
WECC is true and correct to the best of the signer’s knowledge.
____________________________________
Signature
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
IRA Survey
13
____________________________________
Printed Name/Title
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
Related documents
Assumptions on our ER diagram
Assumptions on our ER diagram
identifying and assessing the risks of material misstatement
identifying and assessing the risks of material misstatement
Event Categories and Levels of Analysis
Event Categories and Levels of Analysis
Job no.216500 in ELARG.E.1 Valid fro
Job no.216500 in ELARG.E.1 Valid fro
Accounting Assumptions
Accounting Assumptions
Project 2008-02.2 Unofficial Comment Form (Draft 1)
Project 2008-02.2 Unofficial Comment Form (Draft 1)
Download
advertisement