Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

Transcription

1 Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire Upcoming Audit Date: March 16, 2015 Upcoming Audit Type: O&P Audit Start of Audit Period: March 16, 2012 Date Submitted:

2 Table of Contents Entity Name Information...2 Entity Name Registered Functions...2 Entity Name Logistical Information (Complete this section for on-site audits only)...3 Audit Location...3 Airport...3 Recommended Hotels...4 Confidentiality and Background Checks...4 Delegated Reliability Standard Requirements...5 Company Profile...6 Entity Name Technical Data...6 Entity Name Control Center Locations...7 Entity Name Reliability Assessment...8 SCADA Network Questionnaire...9 Entity Name Compliance Questionnaire...11 Third Party Questionnaire...13 Subsidiaries and Regional Presence Questionnaire...13 Certification...14 Appendix A. Revision History...15 Entity Name Pre-Audit Questionnaire 1

3 Entity Name Information Name Title Street 1: Street 2: City State Zip Phone Alt. Phone Name Title Street 1: Street 2: City State Zip Phone Alt. Phone Primary Compliance Contact: Alternate Compliance Contact: Entity Name Registered Functions Your company has registered with NERC for the following functions: (please validate) Registration Function Registration Date Deregistration Date Reliability Coordinator: Transmission Operator: Balancing Authority: Transmission Owner: Generator Owner: Generator Operator: Load Serving Entity: Distribution Provider: Entity Name Pre-Audit Questionnaire 2

4 Resource Planner: Transmission Planner Is the list of functions correct for your company s NERC Functional Registration? Yes No If no- please explain the errors in the list. Reliability Coordinator (RC) Balancing Authority (BA) Neighboring BA(s) Transmission Operator (TOP) Neighboring TOP(s) Generation Operator (GOP) Generation Owner (GO) Transmission Service Provider (TSP) Planning Authority/Coordinator (PA/PC) Reserve Sharing Group (RSG) Identify your: In what regions do you perform the listed functions? Do you have any joint registrations or coordinated function registrations with another entity? If yes, provide details including NERC JRO or CFR number. Are you a participant in a MRRE? (Yes/No) If Yes, provide details below Entity Name Logistical Information (Complete this section for on-site audits only) To aid the audit team in making travel arrangements, please provide the following information: Audit Location Please provide the physical (street) address where audit will be held: Airport Please provide the location of the airport that you would recommend the audit team use. Entity Name Pre-Audit Questionnaire 3

5 Please provide the driving directions from the airport to the audit location. Recommended Hotels Include three hotels with the following information: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Confidentiality and Background Checks The regional entity delegation agreement and NERC non-disclosure agreement provides the mechanism for compliance audit team members to adhere to confidentiality requirements. Audit team members are not required to sign a separate confidentiality agreement with the registered entity. Please sign and acknowledge that you understand the audit team will not sign additional confidentiality agreements with your company. Acknowledgement: Entity Name Pre-Audit Questionnaire 4

6 Please identify the requirements for visitors prior to being allowed onsite (background checks, photo id, clearances for foreign auditors, etc)? Response: Delegated Reliability Standard Requirements Have you delegated any reliability standard requirements to another entity? NOTE: You will need to have a copy of the formal delegation agreement available for review during the audit. If yes, for each delegated task, please identify the entity, reference the associated delegation agreement, and reference documentation that support the delegated requirements are being properly performed. Delegated Requirement Name of Entity You Delegated To Delegation Agreement Documentation Have any reliability standard requirements been delegated to you from another entity? NOTE: You will need to have a copy of the formal delegation agreement available for review during the audit. If yes, for each delegated requirement, please identify the entity who delegated the task to you and reference the associated delegation agreement. Delegated Requirement Name of entity who delegated the requirement Delegation Agreement Entity Name Pre-Audit Questionnaire 5

7 Company Profile [List entity information regarding usage, ownership, or operational responsibilities pertaining to the BES. In addition, information identifying geographical area, size, organizational roles, etc. should be included.] Entity Name Technical Data Please provide a geographical and electrical description of your system: Peak Load (non-coincident MW) and date: Total Generation- Nameplate Capacity owned (MW): Number of Customers Served (Industrial/Commercial and Residential): Critical Customers (major military bases, communication hubs) Load Shedding Responsibility: (Yes/No) Underfrequency Load Shedding: (Yes/No) MW of load shedding in Planning Coordinator UFLS plan Undervoltage Load Shedding: (Yes/No) List location and MW shed Special Protection System Name and Location: Blackstart Generation: (Own units required per TOP restoration Plan) Yes/No. If Yes, list what TOP, unit names and location Transmission Lines: Voltage 500 kv 345 kv 230 kv 161 kv 138 kv 115 kv Sub-100 kv BES Numbers of Miles Number of Interconnection points and with whom BES Substations: Entity Name Pre-Audit Questionnaire 6

8 Highest Voltage Present 500 kv 345 kv 230 kv 161 kv 138 kv 115 kv Sub-100 kv BES Numbers of Subs System Network Information: SCADA/EMS Vendor: Firewall Vendor(s): Network device Vendor(s): Workstation OS(s): Database Management Software(s): Historian Vendor(s): Number of ICCP Associations: Number of Electronic Security Perimeter (ESP) Access Point(s): Number of people with Physical Access to one (1) or more Physical Security Perimeter PSP(s): Number of people with Electronic Access to one (1) or more ESP(s): Number of each: BES Cyber Asset(s) (BCA)/ Protected Cyber Asset(s) (PCA)/ Electronic Access Control or Monitoring System(s) (EACMS)/ Physical Access Control System (PACS) Cyber Assets(s): Please provide a list of your transmission facilities, generation facilities and flowgates in the attached Entity s Pre-Audit Spreadsheet. Entity Name Control Center Locations Street 1 Primary Control Center: Entity Name Pre-Audit Questionnaire 7

9 Street 2 City State Zip Functions Performed MW Generation Controlled Street 1 Street 2 City State Zip Functions Performed MW Generation Controlled Street 1 Street 2 City State Zip Functions Performed MW Generation Controlled Backup Control Center: Additional Control Center: Entity Name Reliability Assessment (Report only those events that occurred during the audit period) Vegetation Contacts* Directives Received Directives Issued Energy Emergency Alert (include EEA Levels): Events Reported (EOP-004-2) Number of events Date(s) of events Entity Name Pre-Audit Questionnaire 8

10 Loss of firm load Load shedding events* Equipment failure* System Separation (islanding) Generation loss* Transmission loss* Complete loss of off-site power to a nuclear plant* SCADA and EMS System failures*: Evacuation of Primary Control Center (Non-Training)* Complete loss of voice communication capability* Complete loss of monitoring capability* *List events that were reportable. SCADA Network Questionnaire Systems, Protocols and Architecture 1. What operating system(s) do you use for your primary SCADA/EMS? 2. What are your primary communication protocols used between your RTUs and SCADA/EMS? 3. What communications transport mechanism do you use for RTU communications to the SCADA/EMS (please indicate approximate percentage by type)? RTU Communication Private copper/fiber Phone company leased line Phone company frame relay / MPLS Cell Power Line Carrier Microwave Other (please write-in) Percentage 4. What are your primary communication protocols used between IEDs at BES facilities? Primary Communication Protocols Entity Name Pre-Audit Questionnaire 9

11 Serial (please write in names) DNP (serial or TCP or both) Modbus Other (please write-in) 5. Please identify all SCADA networks and the connections to those networks: a. Identify all discrete SCADA networks: b. For each SCADA network listed above, identify all connections of/or access to the following types: Internal local area and wide area networks, including business networks Internet Wireless network devices, including satellite uplinks Modem or dial-up connections Connections to business partners, vendors, support companies or regulatory agencies Connections to other utilities and RTOs Remote SCADA/EMS access 6. Please provide documentation of your network architecture related to SCADA including a single-line network architecture diagram and single-line network logic diagram. List and/or describe the documentation provided below. 7. Does your company utilize any of the following systems in its BES facilities? Systems Substation Automation Systems with localized workstations Control logic or Plant Control Systems originating from the SCADA/EMS Meter Interrogation System Synchro-Phasor Measurement Unit s (PMU s) Relay event retrieval system (such as a workstation with dialup connection to multiple protective relays used to retrieve targets, alarms, etc ) Yes or No Entity Name Pre-Audit Questionnaire 10

12 Entity Name Compliance Questionnaire 1. Does your organization have a formalized (i.e. written) internal compliance program with regard to Reliability Standards? If yes, please explain the scope of the internal compliance program which addresses the NERC Reliability Standards. 2. Please state the extent to which the internal compliance program is distributed within your organization (please include information on training, workshops, newsletters, mailings, and other relevant information which demonstrate effective communications and/or measurements of compliance). For example, does you internal compliance program include a whistle blowing procedure? 3. Please identify the person(s) and title(s) of who is responsible for compliance with Reliability Standards (e.g. Compliance Manager, Corporate Compliance Officer or other position). Compliance Contact Name: Compliance Contact Title: 4. Please provide an organization chart which includes supervision levels (i.e. chain of command ) and responsibilities, and provide a detailed explanation of the supervision and decision-making structure related to internal compliance program. 5. Please explain the relative independence of the compliance responsibilities within the organization from operations. For example, do those with compliance responsibilities have direct access to senior-level executives (e.g. including the Chief Executive Officer, President) and/or Board of Directors? Please provide sufficient details in your response. 6. Please state whether the internal compliance program is operated and managed in a manner that is independent from departments responsible for performance to the Reliability Standards. Please explain your response. 7. Please state the resources (in terms of full time equivalents, positions, or budgets), dedicated to the internal compliance program. Are there unfilled positions related to Entity Name Pre-Audit Questionnaire 11

13 the internal compliance program or, in your opinion, are there sufficient resources dedicated to the internal compliance program? Please explain. 8. Please explain senior management s role in the internal compliance program. Is there active, regular participation? Is there senior executive sponsorship of the internal compliance program? Please explain. 9. Please explain the review frequency of your internal compliance program. Who initiates the review of the internal compliance program? Please explain. 10. How does your internal compliance program ensure that employees understand the appropriate Reliability Standards that apply to their jobs? Please explain. 11. Please explain the frequency of self audits and self assessments within your internal compliance program. Who performs self audits and self assessments related to the internal compliance program? 12. Please provide details on corrective action plans when a potential violation of a Reliability Standard(s) is discovered, including disciplinary procedures for applicable employees. 13. Please explain the controls in place to prevent the re-occurrence of the violation in your internal compliance program. 14. Please provide any additional information which may demonstrate the effectiveness of your internal compliance program which was not addressed in this survey. Entity Name Pre-Audit Questionnaire 12

14 Third Party Obligations Third Party Questionnaire 1. Are you using any Third Party contractors for any of the 693 or CIP requirements? 2. Are any of those third party obligations working as Subject Matter Experts? Subsidiaries and Regional Presence Questionnaire Subsidiaries 1. Are there any subsidiaries associated with the Registered Entity? 2. If yes, will any of these subsidiaries be included in the audit? 3. Please provide ownership of processes, policies, procedures, activities, programs, operational locations (e.g. data center locations and management, GOP/GO.) Entity Name Pre-Audit Questionnaire 13

15 Certification I have completed this survey and to the best of my knowledge, the responses to this survey are true and correct. Survey was completed by: Title: Date: Signature: I have reviewed the survey responses, and to the best of my knowledge, the responses to this survey are true and correct. Authorized Company Officer: Title: Date: Signature: Entity Name Pre-Audit Questionnaire 14

16 Appendix A. Revision History Rev Date By Whom What Keller, Williams Initial version and Perry Jim Williams Updated to align with SPP RE Assessment Template Jim Williams and Steven Keller Updated to align with SPP RE Assessment Template Ron Ciesiel Approved Entity Name Pre-Audit Questionnaire 15