NERC AWARENESS TRAINING Annual Refresher - 2019 Susan Sosbe, COMPLIANCE SS 1/29/18

NERC EMPLOYEE TRAINING Quick Review – What is NERC? Compliance Commitment, Program, Policy Employee Responsibility Review Event Reporting Operating Plan and Procedure For Reporting a Potential Non-Conformance Critical Infrastructure Protection (CIP)

NERC EMPLOYEE TRAINING WHAT IS NERC? North American Electric Reliability Corp. The mission of NERC is to ensure the reliability of the Bulk Electric System (BES) in North America (U.S. and Canada). Under the authority of FERC, NERC enforces the Reliability Standards with all entities who have registered in one (1) or more of the ten (10) industry segments defined by NERC. NERC is the acronym for the NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION. THE MISSION OF NERC IS TO ENSURE THE RELIABILITY OF THE BULK POWER/ELECTRIC SYSTEM IN NORTH AMERICA, WHICH INCLUDES THE U.S., CANADA, AND SMALL PARTS OF MEXICO. NERC gets its authority from THE FEDERAL ENERGY REGULATORY COMMISSION (FERC). Under that authority, NERC enforces the RELIABILITY STANDARDS with ALL Users, Owners, and Operators of the Bulk Power System.

NERC EMPLOYEE TRAINING How Does NERC Apply To Wabash Valley? Reliability Standards are the planning and operating rules that Registered Entities must follow to ensure the most reliable system possible. Compliance is mandatory & enforceable under the scope of NERC’s Regulatory Authority. We must have Procedures and Documentation for each Standard/Requirement/Measure that is applicable to us. Wabash Valley falls under the jurisdiction of two (2) Regional Reliability Organizations (Reliability First Corporation-RF and SERC Reliability Corporation-SERC). RF is the lead Region. Co-ops in Indiana are in the RF Region. Co-ops in Illinois and Missouri are in the SERC Region. Holland Energy, LLC is in the SERC Region.

NERC EMPLOYEE TRAINING How Does NERC Apply To Wabash Valley? Currently, Wabash Valley’s Registrations are: Distribution Provider (DP) – Provides and operates “wires” between the transmission system and the end-use customer. This registration incorporates our Co-ops. Generator Owner (GO) - The entity that owns and maintains generating units. WVPA is the “GO” for the Wabash River Highland Plant (WRHP). NAES is the Generator Operator (GOP) for this facility. We work together to ensure compliance for this facility. WVPA became the GO effective 9/7/11. WVPA is registered as a GO in the RF Region only. Transmission Owner (TO) – Added this registration on 12-26-18 in the SERC Region with the acquisition of the BES transmission assets from Citizens Electric Corporation.

NERC ANNUAL TRAINING CURRENT JOINT REGISTRATION Reliability First SERC WHAT ARE THE KEY ELEMENTS OF COMPLIANCE OF THE WVPA AND MEMBER SYSTEM NERC COMPLIANCE PROGRAM? - COMMITMENT to fulfill all responsibilities and requirements under NERC. - It is the responsibility of EVERY WVPA and Member Co-op Employee to follow the Policies, Procedures, and Requirements of the NERC Compliance Program.

NERC EMPLOYEE TRAINING How Does NERC Apply To Wabash Valley? We also share compliance responsibility with Hoosier Energy and with NAES Corporation for Holland Energy, LLC. Holland Energy, LLC is registered as a Generator Owner (GO), and NAES Corporation, Holland, is registered as the Generator Operator (GOP). Compliance Contacts: GO: Primary: Susan Sosbe, WVPA Secondary: Greg Vonfeldt, Hoosier GOP: Kent Schmohe, NAES, Plant Manager

NERC EMPLOYEE TRAINING Commitment To Compliance Wabash Valley is committed to fulfilling all of our responsibilities and requirements under NERC. It is the responsibility of every Wabash Valley Employee to follow the Policies, Procedures, and Requirements of our NERC Compliance Program.

NERC EMPLOYEE TRAINING Compliance Program Goals and Objectives: Ensure that WVPA complies with all applicable NERC, RF, and SERC Reliability Standards, which in turn, supports the goal of reliable and secure power production and supply. Ensure that WVPA is prepared to provide required information and data to RF, SERC, and NERC in order to demonstrate compliance with all applicable Reliability Standards. To continue to build a “Culture of Compliance”.

COMPLIANCE POLICY Adopted by the Board of Directors, Rev. 2017 Policy Number B-24

NERC ANNUAL TRAINING Co-op Responsibilities Complete & Return “Equipment Confirmation Form” (annually) Work with WVPA Compliance Manager regarding Policies, Procedures and Compliance/Documentation Associated with NERC Compliance: NERC Compliance Written Plans Conduct Employee Training Sessions (New Employees/Annual Refresher) Express Concerns & Ask Questions About The Program Report Any Potential Non-Compliance Immediately As outlined in the “Event Reporting Operating Plan” required by EOP-004-3, report Events in a timely manner. What Responsibilities do Co-ops have? - Complete and Return the Equipment Confirmation Form on an annual basis. This is part of our evaluation of Special Protection Systems, Underfrequency and Undervoltage Load Shedding Equipment. - Work with the WVPA Compliance Manager regarding Policies, Procedures and Compliance Documentation. - Conduct NERC Training Sessions on an annual basis. - Express any Concerns regarding the Program, and Report any potential Non-Conformance immediately. What is a “non-conformance”? It’s basically, an “oops”, where we didn’t follow a Procedure, such as timely reporting of a Sabotage Event. We must investigate the potential non-conformance and implement corrective actions in order to ensure Compliance.

PLANS/PROCEDURES WVPA EVENT REPORTING OPERATING PLAN Replaces Disturbance Reporting and Sabotage Reporting, effective 1/1/14. Procedure For Reporting A Potential Non-Conformance, Procedure #5064. We have 3 Procedures to review today. You should recognize these from the NERC Training that was conducted last year. Those Procedures are: Sabotage Reporting, Procedure For Reporting a Potential Non-Conformance And, Disturbance Reporting.

EVENT REPORTING OPERATING PLAN Purpose: To outline the Protocol for reporting Events within timelines, and to the Entities, outlined in EOP-004-3 for BES Facilities. Events will be reported within 24 hours of recognition of meeting a Reportable Event type threshold and within the 1 to 6 hour reporting requirements of DOE, if applicable.

EVENT REPORTING OPERATING PLAN REPORTABLE EVENTS BY EVENT TYPE (Applicable to WVPA) Event Type WVPA Registration Threshold for Reporting Damage or Destruction of a Facility DP, GO, TO Damage or destruction of a Facility that results from actual or suspected intentional human action. Physical Threats to a Facility Physical Threat to a Facility, excluding weather or natural disaster related threats, which has the potential to degrade the NORMAL operation of the Facility. OR suspicious activity or device at a Facility. Loss of Firm Load DP Loss of firm load ≥ 200MW for ≥15 minutes Terrorism Acts Actual or suspected physical or cyber/ communication attacks that could impact electric power system adequacy/reliability as defined by DOE. Vandalism Does not meet definition of terrorism.

WVPA REPORTING GUIDELINES BASED UPON EVENT TYPE Report To Timeline Contact Damage or Destruction of a Facility Local Law Enforcement MISO, RF/SERC, NERC All within 24 hours of recognition See Reporting Procedures by Entity. Physical Threats to a Facility DOE Within 24 hours of recognition 1 hour See Reporting Procedures by Entity. Report to DOE within 1 hour if it meets DOE criteria, such as loss of load. Terrorism Acts Joint Terrorism Task Force (JTTF) – Coordinates resources of federal, state & local law enforcement MISO, RF/SERC, NERC, Within 24 hours of recognition JTTF: 24x7: 1-617-742-5533 Reporting Procedures by Entity Vandalism Local/State Police, Sheriff Loss of Load MISO, RF/SERC, NERC ≥200MW DOE ≥300 MW Within 1 hour

EVENT REPORTING OPERATING PLAN Protocol: Contact Susan, Brent, Kari, or Lee. Work with WVPA to complete appropriate documentation (NERC Event Report Form/DOE OE-417). Co-ops use Event Reporting System. Susan will handle reporting to appropriate Entities. Act of Terrorism: Susan will report to the Joint Terrorism Task Force (JTTF). Contacts must be verified annually and verification must be documented (Susan).

To outline the steps that internal & external PROCEDURE FOR REPORTING A POTENTIAL NON-CONFORMANCE Procedure Purpose: To outline the steps that internal & external personnel must follow in order to properly report a potential non-conformance pursuant to NERC Compliance. PLEASE REPORT IMMEDIATELY UPON DISCOVERY!

PROCEDURE FOR REPORTING A POTENTIAL NON-CONFORMANCE Procedure Steps: WVPA Employee, Co-op, or an external entity becomes aware of a potential non-conformance. They report it to one of the following personnel: - WVPA Compliance Manager - WVPA Exec. VP, Transmission & Reg. Affairs - WVPA President/CEO - WVPA Legal Counsel Communication Flow *Depending upon the severity, the WVPA Board of Directors may also be notified. Depending upon circumstance, Co-op Board of Directors may be notified as well.

PROCEDURE FOR REPORTING A POTENTIAL NON-CONFORMANCE Procedure Steps: The WVPA Compliance Manager investigates & documents the potential non-conformance. If the issue is NOT a non-conformance, the WVPA Compliance Mgr. will communicate the status, implement improvement measures, and will retain all documentation. If the issue IS a non-conformance, the WVPA Compliance Mgr. will: Report to the Appropriate Agency & Develop a Mitigation Plan; Implement Corrective Actions; Communicate Status; Retain All Documentation.

NERC EMPLOYEE TRAINING WVPA Compliance Critical Infrastructure Protection (CIP) Standards CIP-005-2.1 BES Cyber System Evaluation completed - low impact for both WVPA, WRHP, and Holland Energy. CIP-003-6: Cyber Security Management Controls - Low Impact Requirements: Cyber Security Awareness Program 4-1-17 Communications Management support and reinforcement Program shared with Member Cooperatives. Cyber Security Incident Response 4-1-17 Identify, classify, respond, reporting of incident. Test every 36 months. JRO Members and applicable facilities included. First exercise of Plan was also completed prior to 4-1-17!

NERC CIP UPDATE Critical Infrastructure Protection (CIP) Standards June 2017: BES Cyber System Evaluation completed - low impact for both WVPA and Holland Energy. CIP-003-6 Low Impact Requirements: Cyber Security Awareness Program 4-1-17 Cyber Security Incident Response 4-1-17 Exercise, Report, Lessons Learned Cyber Security Policies 4-1-17 Leadership Designation Policy Cyber Security Policy Security Management Controls Policy Visitor Management Policy (WVPA & WRHP)

NERC UPDATE What’s New With NERC Critical Infrastructure Protection (CIP) Standards (CIP-003-7) Low Impact Requirements: Physical Security Controls 1-1-20 Control physical access based upon need to the asset or the locations of the low impact BES Cyber Systems within the asset, and the Cyber Assets that provide electronic security controls. Electronic Access Controls 1-1-20 Permit only necessary inbound and outbound electronic access for specific communication types. Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber Systems per Cyber Asset capability.

NERC UPDATE What’s New With NERC Critical Infrastructure Protection (CIP) Standards (CIP-003-7) Low Impact Requirements: Transient Cyber Assets and Removable Media 1-1-20 Malicious Code Risk Mitigation Implement, except under CIP Exceptional Circumstances, one or more plans to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. For Transient Cyber Assets, the use of one or a combination of the following in an ongoing or on-demand manner including Antivirus software, application whitelisting, or other methods. There are additional requirements for joint use. For Removable Media, methods to detect malicious code using a Cyber Asset other than a BES Cyber System; and mitigation of a threat of detected malicious code on the Removable Medium prior to connection to low impact asset.

NERC UPDATE What’s New With NERC Critical Infrastructure Protection (CIP) Standards (CIP-003-7) Low Impact Requirements: Declaring & Responding to CIP Exceptional 1-1-20 Circumstances Processes to declare a CIP Exceptional Circumstance Processes to respond to a CIP Exceptional Circumstance Definition of a CIP Exceptional Circumstance as per the NERC Glossary of Terms:

NERC CIP UPDATE NERC FINES 2019 (FERC) $10 million – Unidentified Registered Entity 127 Violations of CIP Standards, which posed a serious risk to the security and reliability of the BES. Violations took place from 2015-2018 and were identified via self reports and audits. 2018 (WECC) $2.7 Million – Unidentified Registered Entity Violation of CIP Standard CIP-003-3, R4 and R5. Contracted vendor exceeded its authorized access by improperly copying data from Entity’s servers to their own, where it was no longer subject to Entity’s controls – contained Cyber Asset data. 2017: (SERC) $500,000 - Unidentified Registered Entity Violation of CIP & Non-CIP Standards and Requirements (twelve {12} Standards and thirty-three {33} Requirements). Highest Fine to Date 2010: $25 million – FPL.

NERC EMPLOYEE TRAINING QUESTIONS? Please contact: Susan Sosbe, Compliance Manager x 2848