ST. LOUIS — The NERC Board of Trustees voted Thursday to approve a supply chain report and a new standard on third-party transient electronic devices while retiring 84 reliability requirements. Below is a summary of the actions on, and discussions of, standards at the May 8-9 meetings of the Trustees and the Member Representatives Committee (MRC).
Standards Efficiency Review Retirements OK’d
Completing Phase 1 of the Standards Efficiency Review (SER) project begun in 2017, the trustees approved the complete retirement of 10 standards and the elimination of some requirements for seven standards.
NERC also approved the withdrawal of MOD-001-2, which has been awaiting FERC approval since February 2014 (RM14-7). It was intended to ensure that calculations of available transmission system capability support reliability and that the methodology and data behind the calculations are disclosed to applicable registered entities. The standards authorization request (SAR) said the standard was no longer needed because other standards, including subsequent improvements to transmission operator rules, ensure that real-time operations observe system operation limits.
Each of the changes received 87 to 97% approval on balloting that closed May 2, said Howard Gugel, vice president of engineering and standards. (See NERC Standards Retirements Go to Final Ballot.)
In total, 77 requirements and part of one requirement are being retired in addition to the six MOD requirements being withdrawn.
The seven standards for which only some of the requirements were eliminated were given updated version numbers reflecting the revisions:
- FAC-008-4 – Facility Ratings
- INT-006-5 – Evaluation of Interchange Transactions
- INT-009-3 – Implementation of Interchange
- IRO-002-7 – Reliability Coordination – Monitoring and Analysis (reflecting the retirement of Requirement R1 and a variance for reliability coordinators in WECC; see below.)
- PRC-004-6 – Protection System Misoperation Identification and Correction
- TOP-001-5 – Transmission Operations
- VAR-001-6 – Voltage and Reactive Control
Gugel said FERC staff have expressed concerns over a few of the retirements but that NERC staff agree with the rationale provided by the standards development team and are confident that the retirements will not cause any vulnerabilities. “When we file this with FERC, we will provide additional supporting arguments and lay out how all these standards requirements hold together to bridge any potential gap,” he said in response to a question from Chair Roy Thilly.
Team Reviewing Feedback on SER Phase 2
Phase 2 of the Standards Efficiency Review is considering changes in six areas of the organization’s operations and planning (O&P) and critical infrastructure protection (CIP) standards.
John Allen, chair of SER Phase 2, briefed the MRC on the results of the industry survey that ended March 22 with submissions from 75 participants. (See “Chair Urges Comments on Standards Efficiency Review,” NERC Standards Committee Briefs: March 20, 2019.)
Participants were asked to indicate via a 1-10 scale how much they supported each of six concepts.
Changes to the evidence-retention rules, which vary by standard, ranked highest at 8.12, said Allen, manager of reliability compliance for the City Utilities of Springfield (Mo.). It was closely followed by consolidating information/data exchange requirements (8.11); moving requirements to guidance (7.85; and developing a risk-based standards template (7.78).
Less popular were relocating competency-based requirements to the certification program/controls review process (6.85) and consolidating and simplifying training requirements (6.19).
The Phase 2 team will use the feedback to evaluate and prioritize the concepts for potential action.
Trustees OK WECC Variance; Questions on Gen-only RC, Calif.-Ariz. Seam
The trustees approved reliability standard IRO-002-6 (Reliability Coordination – Monitoring and Analysis), which adds a variance for the WECC region to address its transition to multiple reliability coordinators (RCs) with the demise of Peak Reliability. (It was immediately supplanted by IRO-002-7, reflecting the retirement of Requirement 1 from SER Phase 1.)
The variance requires each RC to develop a “common interconnection-wide modeling and monitoring methodology” for use in operational planning analysis and real-time assessments, including facility ratings, thermal limits and steady state voltage limits.
“Actions that happen up in the Northwest can impact the Southwest, so for us it’s important to have that coordination across the entire model,” David Godfrey, WECC’s vice president of reliability and security oversight, told the board in an update on the RC transition.
The Eastern Interconnection, which has 16 RCs, has not asked for the standardization requirement WECC sought, Gugel said.
“In the Eastern Interconnection, there’s a lot of coordination that occurs there, but the geographic spread and regional diversity there sometimes doesn’t lend itself to requiring a common model,” he said. “Something going on in Florida for an operation situation may not be necessary for the folks up in Manitoba. It does seem to be necessary out in the Western Interconnection, but we’re continuing to evaluate whether it would be necessary in the East.”
Godfrey’s presentation included a map showing most of the West has chosen CAISO’s or SPP’s RC services but that several generation-only balancing areas — wind, solar and gas units — have selected Gridforce Energy Management.
“This will fit within our certification criteria?” Thilly asked.
“We’re early in that part of the process,” responded NERC General Counsel Charlie Berardesco. “I would ask a little patience as we consider the application and the actual technical details. … We haven’t made a determination on anybody yet.”
CEO Jim Robb said the transmission operators and balancing authorities are accountable for ensuring they have an accredited RC.
“We’ve made it very clear when this whole regime change started to occur a year-and-a-half ago that if — by the time Peak winds down — there aren’t certified reliability coordinators in place, we pull out heavy-duty enforcement actions,” Robb said.
He also said he was concerned about the seam between Arizona and California, noting “that’s been a corridor where bad things have happened in the past.”
“Are we pretty confident that seams agreements that are being developed will provide for fairly seamless operations on those paths?” he asked Godfrey.
Godfrey said he was, adding, “We will continue to monitor that to make sure that [the agreements are] enforced.”
NERC Task Force to Build on EPRI EMP Study
Mark Lauby, NERC senior vice president and chief reliability officer, told the MRC that the organization is launching a task force in response to the Electric Power Research Institute’s April report on the threat of electromagnetic pulses.
The EPRI report concluded a high-altitude nuclear explosion could cause a multistate electric outage but not the nationwide, months-long blackout some observers have warned of. (See EPRI Report Downplays Worst-Case EMP Scenario.)
Lauby said the task force will review the EPRI report to identify additional research needs and best practices and potential reliability standards for mitigating the impacts. He noted that the report did not look at the impacts on generation.
The group is expected to begin work this month and present any SARs to the Standards Committee, if needed, in the fourth quarter.
“This is not to relitigate the research results,” Lauby said. “But rather, now with what we’ve learned from those results … we are better informed to understand exactly what makes sense from a guideline perspective or standard perspective.”
Robb told the Board of Trustees on Thursday that Lauby has laid out an “aggressive” timeline.
“We now understand the science,” he said. “So we can galvanize our resources, and industry’s, to start to think through, ‘OK, what sort of response is required here?’”
Supply Chain Report Recommends Expanding Standards
The trustees accepted staff’s Supply Chain report, which recommends revising the supply chain standards to address electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) to high and medium impact bulk electric system cyber systems. Monitoring, alarming and logging systems would be excluded.
FERC ordered NERC to expand protections to EACMS last October, when it approved the organization’s supply chain standards: CIP-013-1 and modifications in CIP-005-6 and CIP-010-3 (RM17-13, Order 850). (See FERC Finalizes Supply Chain Standards.)
Among the best practices cited in the report are use of “well-known, trusted and established vendors” and those with third-party accreditations or self-certification of their supply chain practices.
“We stand ready to facilitate; we don’t intend to be the accreditor but do want to be a part of the process,” Gugel told the MRC on Wednesday.
The report did not recommend including all low-impact BES cyber systems in the standards but called for additional study on whether low-impact systems with external routable connectivity should be covered. Staff are working on a data request under Section 1600 of the NERC Rules of Procedure to obtain additional information on the subject. It also will continue monitoring the issue through questionnaires and surveys.
To address potential risks to such systems in the interim, staff will work with the Critical Infrastructure Protection Committee (CIPC) Supply Chain Working Group to develop guidelines to help entities evaluate their protected cyber assets on a case-by-case basis. The report also recommends that entities refer to best practices of the North American Transmission Forum, North American Generation Forum, National Rural Electric Cooperative Association and the American Public Power Association.
CIP Standard Approved
The trustees approved CIP-003-8 (Cyber Security – Security Management Controls) in response to FERC’s April 2018 order approving CIP-003-7 and directing NERC to modify it to “mitigate the risk of malicious code that could result from third-party transient electronic devices.”
Section 5.2.1 in Attachment 1 of CIP-003-7 requires the use of at least one safeguard before connecting a transient cyber asset to a low-impact BES cyber system, including reviews of antivirus updates and application whitelisting.
The revision adds a new section 5.2.2 to ensure that the entity acts to mitigate any risks identified in the reviews from Section 5.2.1. It requires entities to “determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the transient cyber asset” (Project 2016-02).
The evidence that entities can provide of compliance include documentation from change management systems, email and contracts that identify a review.
Andy Dodge, director of FERC’s Office of Electric Reliability, provided the MRC an update on two reliability standards pending before the commission:
Comments are due June 24 on FERC’s April 18 Notice of Proposed Rulemaking proposing to adopt CIP-012-1 (Cyber Security – Communications between Control Centers), which would require protections for communication links and data communicated between BES control centers and clarify the types of data that must be protected (RM18-20). (See FERC Proposes Revisions to NERC CIP Standard.)
Also pending is CIP-008-6 (Cyber Security Incident Reporting), which NERC filed on March 7 in response to a July 2018 FERC order (RM18-2). The commission called for expanded reporting of cybersecurity incidents, saying attempts not currently reported could lead to bigger, more successful attacks. The standard would expand mandatory reporting to include actual or attempted compromises of an entity’s electronic security perimeter (ESP) or associated EACMS. (See FERC Orders Expanded Cybersecurity Reporting.)
Post-technical conference comments are due May 24 on FERC’s March 28 joint technical conference with the Department of Energy on security investments (AD19-12). (See TSA Defends Pipeline Security Practices Before FERC.)
Dodge also mentioned FERC staff’s March 29 report on lessons learned from commission-led CIP audits in fiscal 2018. The second in what is intended as an annual report, it includes the results of the audits by the Office of Electric Reliability and input from the Office of Enforcement and Office of Energy Infrastructure Security.
The report makes 13 recommendations, including implementing valid security certificates within BES cyber systems; using strong encryption for interactive remote access; and replacing or upgrading “end-of-life” system components of cyber assets.
— Rich Heidorn Jr.