Industry News

Recent NERC News

These are genuinely exciting times to be working in the power industry. The volume of new generation and storage resources coming online has been well-publicized. But each new resource also introduces a new risk to the reliability and security of the grid. In WECC and TRE alone, there have been more than 130 new registered Generator Owners (GO) introduced to those Interconnections in the past five years. And we are only getting started, as we expect the next five years to see considerably more resource additions to the grid than the previous five years. Naturally, with all of the new market entrants comes confusion and anxiety. Digesting and understanding the NERC Reliability Standards is certainly part of that. Two of the Reliability Standards that cause the most confusion and anxiety for new Registered Entities (RE) are CIP-002-5.1a Cyber Security – BES Cyber System Categorization and CIP-003-8, Cyber Security – Security Management Controls. These Reliability Standards require soon-to-be REs to first identify and categorize their BES Cyber Systems, and then implement one or more documented cyber security plan(s) for its BES Cyber Systems. Aside from requiring those plans to contain, at a minimum, certain components, the Standard leaves considerable discretion to the you, the Registered Entity. The CIP journey begins with CIP-002 and the confusion quickly starts right there. The most common question about CIP-002 is whether the RE needs to generate an inventory of its devices that are part of its BES Cyber System. No, the Standard does not explicitly require an RE with low impact BES Cyber Systems to inventory its devices. But once you consider the objective of the CIP Standards is to identify and protect your critical infrastructure, it is almost impossible to get around inventorying the devices that comprise your BES Cyber System(s). After all, it is very difficult for an auditor to assess the effectiveness of your CIP-003 cyber security plans if you do not have not specifically identified what it is you are protecting. How do you protect what you have not identified? CIP-002 and the device inventory is also where the auditor (e.g., WECC, TRE) will begin its assessment. So, although there is no explicit requirement in CIP-002, we highly recommend REs maintain a current inventory of the devices that comprise its BES Cyber System. Additionally, the Regional Entities (i.e., SERC, WECC, TRE) who you will deal directly with on compliance issues, in many cases are requesting that inventory as part of an initial CIP Self-Certification review which may be conducted any time after registration. CIP-003 is also a considerable source of confusion for new REs. CIP-003 requires REs to develop and implement cyber security plan(s) for the BES Cyber Systems it identified and categorized in CIP-002. CIP-003 is not prescriptive and NERC is intentional in making it non-prescriptive. There are at least a couple reasons for this. First, NERC acknowledges there are many ways an entity might accomplish the Standard’s objective, which is to protect critical infrastructure from cyber and physical security risks. Also, NERC’s strategy for compliance is not to tell REs that if you do these specific things, you will be secure, NERC’s approach is to define the performance objective that needs to be achieved. As we know, there are no absolutes when it comes to security and risk management. Given the lack of specificity in the CIP-003 Standard, how does an RE really know what to put in its cyber security plans and if they are compliant? The inherent ambiguity and lack of specificity in the Standard confuses many REs on how to build their cyber security plans. And once those plans are developed and implemented, some REs then struggle to assess whether those plans are compliant and “audit-ready.” In evaluating whether its cyber security plans are sufficient and effective in meeting CIP-003’s objectives and therefore compliant, the RE should first ask the question: does our cyber security plan identify sufficient controls to protect its assets? For example, to meet the requirement and objective to protect its cyber assets from malicious code introduced by Transient Cyber Assets and Removable Media (TCA/RM), an RE may implement a policy control forbidding the use of any TCA/RMs in its BES Cyber Systems. If the RE were audited, the auditor would assess the effectiveness of this policy control by reviewing evidence that proves the null (i.e., is there evidence that demonstrates no TCA/RMs were plugged into the BES Cyber Systems?). Another RE may also meet the Standard’s objectives by implementing a policy that allows TCA/RMs use with its BES Cyber Systems and to mitigate the risk of malicious code, all TCA/RMs must first be scanned by a device outside of its BES Cyber Systems. In this case, the auditor would then look at a log of all TCA/RMs plugged into the BES Cyber Systems and evaluate evidence showing that each of those devices were properly scanned and cleared beforehand. Another key to understanding CIP-002 and CIP-003 is in the Reliability Standard Audit Worksheet (RSAW). When conducting an audit, the auditor uses the RSAW, its questions, and assessment tools to assess the effectiveness of your CIP program. An RE can therefore use an RSAW outside of an audit environment to periodically evaluate its compliance program through the lens of the auditor. This can be an especially valuable tool for a newly registered entity looking to gain assurance that it is on the right track. While the heart of your compliance program should not be the RSAW, it can be a valuable tool an RE can use to periodically evaluate how it is doing and where it may have gaps. To recap, in CIP-002, NERC requires REs to first identify and categorize its BES Cyber Systems – i.e., what it is you need to protect. Next, NERC requires REs to design and implement controls to meet the security objectives addressed in CIP-003. To demonstrate it has met the requirements of these two Standards, the RE must generate evidence that demonstrates it has identified and categorized what it needs to protect, implemented security plans to protect those assets, and the plan’s controls are effective in meeting the plans’ security objectives.

Recent NERC News

GridSME has been talking to a number of existing generator owners who plan on greatly enhancing the flexibility of their PV and Wind generation facilities through the addition of Battery Energy Storage Systems (BESS). There are many generators who are interconnected at >100 kV who do not have nameplates >75 MVA and are, therefore, not required to register with NERC as BES assets. Generator owners should be aware that the addition of battery storage contributes to the nameplate capacity for consideration for registration. Even if it does not change the deliverability to the BES from an MVA perspective. An opinion from one of the Regional Entities confirmed that all nameplate capacity would be considered towards the >75 MVA threshold. Example – An existing >100 kV interconnected 50 MVA Solar PV facility is adding 50 MVA of battery storage capability, but is not changing its Generator Interconnection Agreement (GIA) deliverability to the POI of say 45 MW. Per the NERC BES Definition, this resource now has 100 MVA of nameplate capacity and must register with NERC as a BES asset even though its deliverability to the PO has not changed.

The Background Just a few years ago, the only generators that needed to worry about Generator Model Validation testing and reporting were those registered with NERC. Those registered generators must comply with three NERC Reliability Standards: MOD-025, MOD-026, and MOD-027, which essentially require Generator Model Validation (GMV) or in NERC’s words, “Verification of Models and Data.” Then the dynamics of the grid became more and more complex with the significant penetration of intermittent renewables. As the changing grid dynamics unfold (e.g., minuscule responses to minuscule changes in voltage and frequency multiplied by thousands of inverters can lead to major events), system operators noticed they need a higher quantity and quality data and models of the system. And here we are today, whereby nearly every generator in CAISO and ERCOT, whether NERC-registered or not, has a GMV requirement. In CAISO, the generator has 120 days to perform these tests and report the data and updated models to its Transmission Planner (e.g., PG&E or SCE) and CAISO. In ERCOT, generators must perform GMV procedures and reporting as a requirement for COD. Why the increased requirements in CAISO and ERCOT? Their systems have seen some of the highest inverter-based renewable penetrations in the country. With this comes a heightened need for system and generator model accuracy. What to Plan for as a Generator Owner? The first question to answer is, “Will these GMV requirements apply to my generator?” If your generator is within the CAISO or ERCOT Balancing Authority Areas, the short answer is yes. If your generator is located outside these areas, the answer is a little more nuanced. Table 1 below details which generators, in most cases, do and do not have GMV requirements.

Cypress Creek Renewables (CCR) recently passed an Operations & Planning (O&P) Reliability Standards audit conducted by SERC. GridSME sat down with CCR to discuss the experience, the results of the audit, lessons learned, and key takeaways. Here is the Q&A: Can you provide a high-level summary of the audit? We were first notified by SERC in July 2019 that Cypress Creek was on the audit schedule for 2020 with a proposed audit date in May 2020. The official audit engagement began when we received the Audit Notification Letter (ANL) in January 2020. The ANL identified the specific Reliability Standards and Requirements included in the scope, as well as data requests related to organizational information and internal controls. Our audit scope included Operations and Planning (O&P) standards specific to the Generator Operator (GOP) registration and was conducted remotely by SERC. There were five audit team members, including a Point of Contact (POC) and an Audit Team Lead. Audit documentation was delivered via the SERC portal and the audit team reviewed our compliance evidence in a timely fashion and were very communicative throughout the process. SERC issued just one follow-up data request and finished their review ahead of schedule with zero findings. Overall, the audit went smoothly and was a great learning experience for our entity as one of the first solar specific GOPs to be audited in the SERC region. What was the audit process like? Was there anything that took Cypress Creek by surprise? Was the process clear? The audit process was straightforward with deliverables, due dates, additional information requests, and responses communicated to us in a timely manner. We saw this process divided into 5 basic steps following Appendix 4C of the NERC Rules of Procedure: First, Cypress Creek was notified by SERC of our inclusion in the 2020 annual audit plan in July 2019 and was requested to confirm the proposed dates. Second, the Audit Notification Letter (ANL) was received about 4 months before the scheduled audit dates. Along with the ANL, there was also a Request for Information, and Certification Letter. The ANL identified the specific Reliability Standards and Requirements for evaluation and the regional entity’s preferred formatting on the Reliability Standard Audit Worksheets (RSAWs). The Request for Information (RFI) included a questionnaire on the organization’s internal control practices, and the Certification Letter requested general company information such as business organizational charts. The audit team scheduled an introductory call soon after delivery of the ANL to introduce themselves and to discuss the process. Third, the requested audit material was provided to SERC within 30 days. This upload included the completed RSAWs, associated evidence files, and responses to the RFI and Certification Letter. Fourth, the audit team reviewed the submitted information for compliance with the Reliability Standards. Following this review, SERC provided Cypress Creek with an audit update which included a preliminary determination status for the in-scope Reliability Standards. All standards had been assessed a status of “No Finding” except one, for which additional information was required and a corresponding data request was issued. Cypress Creek had approximately a week and a half to respond to the data request and upload additional evidence for their review of that Requirement. Cypress Creek received a second audit update in late March that confirmed all requirements were moved to a “No Finding” status. Fifth, SERC conducted an exit presentation, provided the draft audit report for Cypress Creek’s review, and delivered the final signed report to Cypress Creek. As communicated by the audit team during our opening presentation, if a potential non-compliance had been identified, the SERC audit team would have turned the proceedings over to the enforcement team following the exit presentation. We were pleased with how communicative the auditors were and how the audit was concluded ahead of schedule. Our Exit Presentation was held the last week of March, almost 2 months before our originally scheduled audit date in May. Our audit was also largely uninterrupted by COVID-19 as the audit had already been determined as off site and the initial evidence gathering had already been completed prior to travel restrictions being implemented. What would Cypress Creek recommend to entities prior to an audit to prepare? We have a couple recommendations based on our experience and which worked well for us. (1) Conduct a mock audit. We recommend inclusion of all the applicable Reliability Standards to your registration and for your Subject Matter Experts to sit for mock interviews. This exercise is helpful to fine tune organization and presentation, RSAW narratives and citations, and most importantly, to confirm and obtain feedback on evidence. The objective is to prepare the RSAWs and evidence in advance as close to final form as possible. A mock audit will help confirm that your organization is ready for the audit or identify any areas of concern ahead of time. (2) Involve your management team early and often. Cypress Creek’s senior leadership was very supportive and prioritized being present and available to the compliance team throughout the audit. For example, the senior leadership team was present on the Opening and Exit Presentations and asked questions to the audit team, demonstrating engagement. The Regional Entities may notice touchpoints like this since there is a section in the Audit Report about Compliance Culture. (3) Review your Regional Entity’s audit resources. At Cypress Creek, we placed a priority on attending Open Forums and Compliance Seminars, and we were able to refer to internal notes and published recordings and presentations which helped us identify how the Regional Entity conducts their audits. This included identifying how SERC prefers evidence to be organized, including citation format and folder structure, which led to positive feedback from the audit team on our organization and presentation. During the audit, what were Cypress Creek’s interactions with the audit team like? How many of your team members interacted with SERC during the audit? Was the entire audit conducted remotely and did that introduce any unique challenges? What form of interaction and communication was most effective? Our interactions with the audit team were positive and professional. The audit team members were responsive and, since the audit was designated as offsite from the initial notice, we went into the audit with a communication philosophy of “early and often” and did not face any unexpected challenges. While it is always a best practice to have designated Point of Contacts from each team, this was especially important for an off-site audit. Written communication was most effective and appropriate for correspondence related to material content while verbal conversations were most effective to establish a rapport with the auditors. For example, the introductory call and opening presentation were key opportunities for senior management to meet the auditors and demonstrate active engagement and for the compliance team to ask questions. Did the audit result in any material changes to Cypress Creek’s compliance program, policies, or procedures going forward? Since our audit results included no recommendations and no potential non-compliances, there were no material changes made to Cypress Creek’s compliance program. The results and audit experience confirmed that our program and focus areas for development align with NERC’s risk-based approach and encouraged Cypress Creek to continuously improve elements of our program, such as internal controls. We were pleased to hear that the auditors had positive feedback for an entity of our size regarding our program structure and about the material contents of our documentation.

Have you ever been curious about what events lead to the increase of regulations towards increasing physical security protection of your electric substations? In this article we will take a dive into the events that lead to the standards and how those standards effect your substations. In the electric energy industry, a predominant compliance driver has focused on cyber security of the bulk electric system controls. In 2013, the focus on cyber security compliance issues for electric utilities was augmented with some new physical security requirements. In this article, I’ll introduce you to the events that led to the development of these new regulations and how you can development and implement your new physical security protocol that meets these new guidelines. Metcalf Substation Attack The Executive Order seeks to mitigate well known, and long-standing, cyber security supply chain risks. There is no doubt that on the night of April 15, 2013, several very well-informed attackers caused physical damage to Pacific Gas & Electric’s large 500 kv/230kv Metcalf Transmission Substation located south of San Jose, California. Beginning at about 1:00 AM, the attackers cut two fiber communication lines. After they were finished, they resealed the telecom vaults and spread garbage in the area to help draw attention away from their actions. At 1:31 AM the attackers began shooting at the substation transformers and circuit breakers. Ten of the 11 transformers were struck. It appeared that the attackers only shot at the “hot” transformers (one was down for maintenance). By 1:45 AM the transformers had begun to shut down, presumably, due to low cooling oil levels and low oil pressures. The subsequent investigation after the shooting identified 116 impact points on 22 pieces of equipment and 52,000 gallons of transformer oil was spilled onto the base of the substation foundation. It was also determined during the investigation that the slow response time of the employees and inaccessibility of the substation allowed the perpetrator(s) enough time to get escape before the police arrived on scene.

In preparation for the upcoming CAISO Transmission Planning Process Requirement pertaining to the Electromagnetic Transient (EMT) Modeling Guide for Inverter Based Generators (effective May 31, 2019), GridSME has developed a Frequently Asked Questions (FAQ) bulletin to support effected entities. GridSME has observed that this requirement has created numerous questions for generators within the CAISO footprint. If your facility is a Category 1 or 2 you may be required to submit an EMT model suitable for sub-synchronous resonance (SSR) studies. These FAQs are designed to provide a better understanding of the EMT model requirements. Questions addressed in this bulletin: What is an EMT Model and what is it used for? How do I know if I have to provide this information to CAISO? What category has the CAISO identified my generating plant as? What information is required to complete an EMT model? What is the format that I need to submit the required data? What happens if I do not comply on time with the CAISO TPP BPM? If you would like more information on how this requirement may impact your organization, don’t hesitate to reach out. We look forward to assisting you with the EMT submission requirements or answering any questions that you may have. Click Here to Read the Full Article

The CAISO has recently established new modeling requirements for generators as part of its expansion of the transmission planning process. These requirements require action for some generating units starting in May 2019. GridSME has developed these Frequently Asked Questions to help CAISO generators navigate these new requirements, and determine if and when they may apply to you. Check out our FAQs HERE .