2018 audits demonstrate ISO-NE’s strong culture of compliance
Four significant reviews during the year concluded successfully
NERC CIP Compliance
The NERC Critical Infrastructure Protection (CIP) compliance audit, which covered a three-year period, measured both cyber and physical security standards critical to ensuring electrical reliability. Complying with CIP Version 5 is a highly complex, ongoing process, including 33 requirements and more than 160 sub-requirements.
A new CIP and Systems Compliance Operations team was created in 2017 to improve the ISO’s efforts. This group of employees implemented a centralized system for monitoring and documentation; developed consistent, repeatable, and sustainable processes with clear role definitions; trained technical subject matter experts; and overhauled the Reliability Standards Audit Worksheets and evidence-gathering methods.
Auditors from the Northeast Power Coordinating Council (NPCC) were on site October 22–25, 2018. During their visit, they conducted intensive reviews, interviews, and inspections, with questions requiring that the ISO generate and submit hundreds of data files. Afterward, NPCC made only five minor recommendations, such as additional signage and moving related assets closer together. Positive observations were made regarding the ISO’s electronic security, and the CIP and Systems Compliance Operations team was praised for its knowledge, cooperation, and responsiveness.
Emerging technologies and revisions to other NERC standards mean that compliance requirements change frequently. The CIP and Systems Compliance Operations team is already planning ahead for some predictable new standards expected for the next audit, which will take place in 2021.
NERC Operations and Planning Compliance
From June 5–7, 2018, the NPCC completed its fourth triennial onsite audit of ISO New England’s compliance with NERC operations and planning Reliability Standards. They concluded that ISO New England was compliant with all 15 requirements of the 11 NERC Standards covered. The scope and timeframe for the 2018 audit were substantially reduced from prior audits due to the ISO’s participation in the NPCC’s internal controls evaluation (ICE) process. Auditors interviewed subject matter experts; visited the master control center and the backup control center; and reviewed the ISO’s compliance program, business procedures, work products, and internal control environment. Both before and during the visit, NPCC recognized the ISO’s demonstration of strong internal controls.
Auditors also identified two areas of excellence:
- The Operations Performance, Training, and Integration Group, which has developed effective system operator training
- The way the ISO’s back up control center closely replicates the primary control center environment, and is used for operator training
Other significant positive observations from NPCC representatives included recognition of the ISO’s implementation of the NPCC ICE team’s recommendations; high quality of audit preparation and responses; additional situational awareness displays and enhanced control room alarms; and operating beyond standard requirements.
FERC Division of Audits and Accounting
On April 18, 2018, ISO New England also successfully completed an intensive audit by the Federal Energy Regulatory Commission (FERC) Division of Audits and Accounting (DAA). The DAA evaluated a four-year period of compliance with the with the ISO Open Access Transmission Tariff; FERC Order No. 1000, which established new electric transmission planning and cost allocation requirements; and FERC’s accounting, reporting, and record-retention requirements.
Service Organizations Controls 1 Type 2
Lastly, on November 9, 2018, ISO New England completed a Service Organization Controls (SOC) 1 Type 2 report covering the previous year. For the 14th year in a row, auditors from KPMG LLP delivered an “unqualified opinion.”
- Inside ISO New England