Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire



Similar documents
Summary of CIP Version 5 Standards

When this standard has received ballot approval, the text boxes will be moved to the Guidelines and Technical Basis section of the Standard.

CIP Cyber Security Security Management Controls

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Alberta Reliability Standard Cyber Security Security Management Controls CIP-003-AB-5

Alberta Reliability Standard Cyber Security Physical Security of BES Cyber Systems CIP-006-AB-5

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

NERC Cyber Security Standards

Alberta Reliability Standard Cyber Security Personnel & Training CIP-004-AB-5.1

Cyber Security Compliance (NERC CIP V5)

Safety Share Who is Cleco? CIP-005-3, R5 How What

CIP Cyber Security Electronic Security Perimeter(s)

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Open Enterprise Architectures for a Substation Password Management System

CIP v5/v6 Implementation Plan CIP v5 Workshop. Tony Purgar October 2-3, 2014

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Standard CIP Cyber Security Security Management Controls

Secure Substation Automation for Operations & Maintenance

Notable Changes to NERC Reliability Standard CIP-005-5

SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

Alberta Reliability Standard Cyber Security System Security Management CIP-007-AB-5

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

CIP R2 BES Assets Containing Low Impact BCS. Lisa Wood, CISA, CBRA, CBRM Compliance Auditor Cyber Security

Standard CIP 007 3a Cyber Security Systems Security Management

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

IT Security and OT Security. Understanding the Challenges

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

Three Simple Steps to SCADA Systems Security

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity)

Keeping the Lights On

Lessons Learned CIP Reliability Standards

Welcome to the CIP Workshop!

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Standard CIP 004 3a Cyber Security Personnel and Training

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System

Cyber Security Standards Update: Version 5

Joe Andrews, MsIA, CISSP-ISSEP, ISSAP, ISSMP, CISA, PSP Sr. Compliance Auditor Cyber Security

RuggedCom Solutions for

NERC CIP Substation Cyber Security Update. John M Shaw Presentation to UTC Region 7 February 19, 2009 jshaw@garrettcom.com

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008

Manage Utility IEDs Remotely while Complying with NERC CIP

ISACA rudens konference

ERCOT Design and Implementation of Internal Controls and benefits for NERC CMEP/RAI

GENe Software Suite. GENe-at-a-glance. GE Energy Digital Energy

Generation Interconnection Feasibility Study Report-Web Version. PJM Generation Interconnection Request Queue Position Z1-055

Job Descriptions. Job Title Reports To Job Description TRANSMISSION SERVICES Manager, Transmission Services. VP Compliance & Standards

TRIPWIRE NERC SOLUTION SUITE

Last revised: September 1, 2014 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS

On the Road to. Duke takes the road less traveled and arrives at a new level of distribution automation.

Innovative Defense Strategies for Securing SCADA & Control Systems

Radiological Assessment Display and Control System

Electric Field Operations Organization

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

Plans for CIP Compliance

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Redesigning automation network security

TRANSMISSION OPERATIONS (August 5, 2010)

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

APPENDIX G-Emergency Response Plan Template

How To Protect Decd Information From Harm

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Electric Operations Manager

Standard CIP Cyber Security Systems Security Management

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

References Appendices I. INTRODUCTION... 6 A. Background... 6 B. Standards... 6

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

RIG Acceptance Test (RAT) Procedures

Cyber Security Standards Update: Version 5 with Revisions

Transmission Function Employees Job Titles and Descriptions 18 C.F.R 358.7(f)(1)

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

NSTB. AGA 12, Part 2 Performance Test Plan. Mark Hadley, Kristy Huston Pacific Northwest National Laboratories. November National SCADA Test Bed

CIP R1 & R2: Configuration Change Management

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Technology Spotlight on Cellular Data Networking for SCADA system networks. Presented by Teamwork Solutions, Inc.

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Top Ten Compliance Issues for Implementing the NERC CIP Reliability Standard

Smart Solutions for Network IP Migration

Big Data: Using Smart Grid to Improve Operations and Reliability. LaMargo Sweezer-Fischer Power Delivery Grid Automation Manager FPL July 2014

Transcription:

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire Upcoming Audit Date: March 16, 2015 Upcoming Audit Type: O&P Audit Start of Audit Period: March 16, 2012 Date Submitted:

Table of Contents Entity Name Information...2 Entity Name Registered Functions...2 Entity Name Logistical Information (Complete this section for on-site audits only)...3 Audit Location...3 Airport...3 Recommended Hotels...4 Confidentiality and Background Checks...4 Delegated Reliability Standard Requirements...5 Company Profile...6 Entity Name Technical Data...6 Entity Name Control Center Locations...7 Entity Name Reliability Assessment...8 SCADA Network Questionnaire...9 Entity Name Compliance Questionnaire...11 Third Party Questionnaire...13 Subsidiaries and Regional Presence Questionnaire...13 Certification...14 Appendix A. Revision History...15 Entity Name Pre-Audit Questionnaire 1

Entity Name Information Name Title Street 1: Street 2: City State Zip Phone Alt. Phone Email Name Title Street 1: Street 2: City State Zip Phone Alt. Phone Email Primary Compliance Contact: Alternate Compliance Contact: Entity Name Registered Functions Your company has registered with NERC for the following functions: (please validate) Registration Function Registration Date Deregistration Date Reliability Coordinator: Transmission Operator: Balancing Authority: Transmission Owner: Generator Owner: Generator Operator: Load Serving Entity: Distribution Provider: Entity Name Pre-Audit Questionnaire 2

Resource Planner: Transmission Planner Is the list of functions correct for your company s NERC Functional Registration? Yes No If no- please explain the errors in the list. Reliability Coordinator (RC) Balancing Authority (BA) Neighboring BA(s) Transmission Operator (TOP) Neighboring TOP(s) Generation Operator (GOP) Generation Owner (GO) Transmission Service Provider (TSP) Planning Authority/Coordinator (PA/PC) Reserve Sharing Group (RSG) Identify your: In what regions do you perform the listed functions? Do you have any joint registrations or coordinated function registrations with another entity? If yes, provide details including NERC JRO or CFR number. Are you a participant in a MRRE? (Yes/No) If Yes, provide details below Entity Name Logistical Information (Complete this section for on-site audits only) To aid the audit team in making travel arrangements, please provide the following information: Audit Location Please provide the physical (street) address where audit will be held: Airport Please provide the location of the airport that you would recommend the audit team use. Entity Name Pre-Audit Questionnaire 3

Please provide the driving directions from the airport to the audit location. Recommended Hotels Include three hotels with the following information: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Name: Address: Phone Number Corporate rate: Rate name or code: Directions to the audit location: Confidentiality and Background Checks The regional entity delegation agreement and NERC non-disclosure agreement provides the mechanism for compliance audit team members to adhere to confidentiality requirements. Audit team members are not required to sign a separate confidentiality agreement with the registered entity. Please sign and acknowledge that you understand the audit team will not sign additional confidentiality agreements with your company. Acknowledgement: Entity Name Pre-Audit Questionnaire 4

Please identify the requirements for visitors prior to being allowed onsite (background checks, photo id, clearances for foreign auditors, etc)? Response: Delegated Reliability Standard Requirements Have you delegated any reliability standard requirements to another entity? NOTE: You will need to have a copy of the formal delegation agreement available for review during the audit. If yes, for each delegated task, please identify the entity, reference the associated delegation agreement, and reference documentation that support the delegated requirements are being properly performed. Delegated Requirement Name of Entity You Delegated To Delegation Agreement Documentation Have any reliability standard requirements been delegated to you from another entity? NOTE: You will need to have a copy of the formal delegation agreement available for review during the audit. If yes, for each delegated requirement, please identify the entity who delegated the task to you and reference the associated delegation agreement. Delegated Requirement Name of entity who delegated the requirement Delegation Agreement Entity Name Pre-Audit Questionnaire 5

Company Profile [List entity information regarding usage, ownership, or operational responsibilities pertaining to the BES. In addition, information identifying geographical area, size, organizational roles, etc. should be included.] Entity Name Technical Data Please provide a geographical and electrical description of your system: Peak Load (non-coincident MW) and date: Total Generation- Nameplate Capacity owned (MW): Number of Customers Served (Industrial/Commercial and Residential): Critical Customers (major military bases, communication hubs) Load Shedding Responsibility: (Yes/No) Underfrequency Load Shedding: (Yes/No) MW of load shedding in Planning Coordinator UFLS plan Undervoltage Load Shedding: (Yes/No) List location and MW shed Special Protection System Name and Location: Blackstart Generation: (Own units required per TOP restoration Plan) Yes/No. If Yes, list what TOP, unit names and location Transmission Lines: Voltage 500 kv 345 kv 230 kv 161 kv 138 kv 115 kv Sub-100 kv BES Numbers of Miles Number of Interconnection points and with whom BES Substations: Entity Name Pre-Audit Questionnaire 6

Highest Voltage Present 500 kv 345 kv 230 kv 161 kv 138 kv 115 kv Sub-100 kv BES Numbers of Subs System Network Information: SCADA/EMS Vendor: Firewall Vendor(s): Network device Vendor(s): Workstation OS(s): Database Management Software(s): Historian Vendor(s): Number of ICCP Associations: Number of Electronic Security Perimeter (ESP) Access Point(s): Number of people with Physical Access to one (1) or more Physical Security Perimeter PSP(s): Number of people with Electronic Access to one (1) or more ESP(s): Number of each: BES Cyber Asset(s) (BCA)/ Protected Cyber Asset(s) (PCA)/ Electronic Access Control or Monitoring System(s) (EACMS)/ Physical Access Control System (PACS) Cyber Assets(s): Please provide a list of your transmission facilities, generation facilities and flowgates in the attached Entity s Pre-Audit Spreadsheet. Entity Name Control Center Locations Street 1 Primary Control Center: Entity Name Pre-Audit Questionnaire 7

Street 2 City State Zip Functions Performed MW Generation Controlled Street 1 Street 2 City State Zip Functions Performed MW Generation Controlled Street 1 Street 2 City State Zip Functions Performed MW Generation Controlled Backup Control Center: Additional Control Center: Entity Name Reliability Assessment (Report only those events that occurred during the audit period) Vegetation Contacts* Directives Received Directives Issued Energy Emergency Alert (include EEA Levels): Events Reported (EOP-004-2) Number of events Date(s) of events Entity Name Pre-Audit Questionnaire 8

Loss of firm load Load shedding events* Equipment failure* System Separation (islanding) Generation loss* Transmission loss* Complete loss of off-site power to a nuclear plant* SCADA and EMS System failures*: Evacuation of Primary Control Center (Non-Training)* Complete loss of voice communication capability* Complete loss of monitoring capability* *List events that were reportable. SCADA Network Questionnaire Systems, Protocols and Architecture 1. What operating system(s) do you use for your primary SCADA/EMS? 2. What are your primary communication protocols used between your RTUs and SCADA/EMS? 3. What communications transport mechanism do you use for RTU communications to the SCADA/EMS (please indicate approximate percentage by type)? RTU Communication Private copper/fiber Phone company leased line Phone company frame relay / MPLS Cell Power Line Carrier Microwave Other (please write-in) Percentage 4. What are your primary communication protocols used between IEDs at BES facilities? Primary Communication Protocols Entity Name Pre-Audit Questionnaire 9

Serial (please write in names) DNP (serial or TCP or both) Modbus Other (please write-in) 5. Please identify all SCADA networks and the connections to those networks: a. Identify all discrete SCADA networks: b. For each SCADA network listed above, identify all connections of/or access to the following types: Internal local area and wide area networks, including business networks Internet Wireless network devices, including satellite uplinks Modem or dial-up connections Connections to business partners, vendors, support companies or regulatory agencies Connections to other utilities and RTOs Remote SCADA/EMS access 6. Please provide documentation of your network architecture related to SCADA including a single-line network architecture diagram and single-line network logic diagram. List and/or describe the documentation provided below. 7. Does your company utilize any of the following systems in its BES facilities? Systems Substation Automation Systems with localized workstations Control logic or Plant Control Systems originating from the SCADA/EMS Meter Interrogation System Synchro-Phasor Measurement Unit s (PMU s) Relay event retrieval system (such as a workstation with dialup connection to multiple protective relays used to retrieve targets, alarms, etc ) Yes or No Entity Name Pre-Audit Questionnaire 10

Entity Name Compliance Questionnaire 1. Does your organization have a formalized (i.e. written) internal compliance program with regard to Reliability Standards? If yes, please explain the scope of the internal compliance program which addresses the NERC Reliability Standards. 2. Please state the extent to which the internal compliance program is distributed within your organization (please include information on training, workshops, newsletters, mailings, and other relevant information which demonstrate effective communications and/or measurements of compliance). For example, does you internal compliance program include a whistle blowing procedure? 3. Please identify the person(s) and title(s) of who is responsible for compliance with Reliability Standards (e.g. Compliance Manager, Corporate Compliance Officer or other position). Compliance Contact Name: Compliance Contact Title: 4. Please provide an organization chart which includes supervision levels (i.e. chain of command ) and responsibilities, and provide a detailed explanation of the supervision and decision-making structure related to internal compliance program. 5. Please explain the relative independence of the compliance responsibilities within the organization from operations. For example, do those with compliance responsibilities have direct access to senior-level executives (e.g. including the Chief Executive Officer, President) and/or Board of Directors? Please provide sufficient details in your response. 6. Please state whether the internal compliance program is operated and managed in a manner that is independent from departments responsible for performance to the Reliability Standards. Please explain your response. 7. Please state the resources (in terms of full time equivalents, positions, or budgets), dedicated to the internal compliance program. Are there unfilled positions related to Entity Name Pre-Audit Questionnaire 11

the internal compliance program or, in your opinion, are there sufficient resources dedicated to the internal compliance program? Please explain. 8. Please explain senior management s role in the internal compliance program. Is there active, regular participation? Is there senior executive sponsorship of the internal compliance program? Please explain. 9. Please explain the review frequency of your internal compliance program. Who initiates the review of the internal compliance program? Please explain. 10. How does your internal compliance program ensure that employees understand the appropriate Reliability Standards that apply to their jobs? Please explain. 11. Please explain the frequency of self audits and self assessments within your internal compliance program. Who performs self audits and self assessments related to the internal compliance program? 12. Please provide details on corrective action plans when a potential violation of a Reliability Standard(s) is discovered, including disciplinary procedures for applicable employees. 13. Please explain the controls in place to prevent the re-occurrence of the violation in your internal compliance program. 14. Please provide any additional information which may demonstrate the effectiveness of your internal compliance program which was not addressed in this survey. Entity Name Pre-Audit Questionnaire 12

Third Party Obligations Third Party Questionnaire 1. Are you using any Third Party contractors for any of the 693 or CIP requirements? 2. Are any of those third party obligations working as Subject Matter Experts? Subsidiaries and Regional Presence Questionnaire Subsidiaries 1. Are there any subsidiaries associated with the Registered Entity? 2. If yes, will any of these subsidiaries be included in the audit? 3. Please provide ownership of processes, policies, procedures, activities, programs, operational locations (e.g. data center locations and management, GOP/GO.) Entity Name Pre-Audit Questionnaire 13

Certification I have completed this survey and to the best of my knowledge, the responses to this survey are true and correct. Survey was completed by: Title: Date: Signature: I have reviewed the survey responses, and to the best of my knowledge, the responses to this survey are true and correct. Authorized Company Officer: Title: Date: Signature: Entity Name Pre-Audit Questionnaire 14

Appendix A. Revision History Rev Date By Whom What 1.0 2013-12-02 Keller, Williams Initial version and Perry 2.0 2014-09-24 Jim Williams Updated to align with SPP RE Assessment Template 3.0 2015-08-07 Jim Williams and Steven Keller Updated to align with SPP RE Assessment Template 3.0 2015-08-18 Ron Ciesiel Approved Entity Name Pre-Audit Questionnaire 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information