PCS BLOG

 

Just over eleven years ago, FERC issued Order 693 approving 83 mandatory Reliability Standards, and the North American electric grid regulatory landscape changed dramatically.  FERC also directed NERC to modify several Standards, bringing about dozens of Standard Drafting Teams.  The initial Standards changes were fast and furious, but NERC had a goal of achieving a “Steady State” in regards to the Standards.  With only nine currently active Standards Development Projects, has NERC achieved a Steady State?  Just as importantly, can your Compliance Program operate at a Steady State? Is your Compliance Program up-to-date with the latest Standards changes?

Steady State is a relative assessment, so consider this.  Of the 101 currently effective National and Regional Reliability Standards, sixty have an effective date of January 1, 2016 or later.  Almost 60% of the current Reliability Standards have changed in some manner in the last 2.5 years.  That does not include the 10 approved standards awaiting implementation, or the standards approved by NERC awaiting approval from FERC, or the new Compliance Guidance documents being routinely posted, or the multiple changes to the NERC Rules of Procedure.  Some of the changes were minor, and some were significant. 

So, can your Compliance Program operate at a Steady State?  Only if you routinely incorporate Change Management into your overall Compliance Program management (not talking about CIP required Change Management here).

What are the right components of managing changes to NERC compliance requirements?

  • Identification – Monitor FERC, NERC and Regional filings, postings, workshops, webinars, committees and forums to identify changes in standards, compliance guidance documents, and auditing approaches.

  • Implementation – Review posted Implementation Schedules carefully and communicate with NERC and Regional Entities to clearly understand the implementation schedule.   Plan your implementation to allow time to meet compliance well ahead of the deadlines.

  • Modifications – Review and update any applicable Policies and Procedures to promote compliance with the new requirements.

  • Training – Make sure Operating Personnel are effectively trained on meeting any new compliance obligations.

  • Communication – Clearly communicate compliance expectations to impacted personnel.

  • Control – Establish controls or review activities to ensure new compliance obligations are being met.

We, as the industry, and NERC have an obligation to support grid reliability by continually reviewing and improving the mandatory Reliability Standards.  Changes to the Standards and Requirements will be ongoing.  That can include adding or modifying Requirements, or retiring low value/low risk Requirements.  If your Compliance Program is not up-to-date with the latest Standards, your company could be at risk for missing compliance obligations, or alternately, your company could be wasting resources on retired Requirement activities.  Either way, to minimize the risk and maximize the effectiveness of your Compliance Program, Change Management should be integral to your processes.

If you have questions about how to more effectively manage the continually changing NERC compliance obligations, do not hesitate to contact PCS.  We currently monitor and communicate Standards and Compliance change activities for a number of clients on an ongoing basis with our Standards Compliance Intelligence Portal (SCIP). 

Contact Proven Compliance Solutions for a SCIP demo today at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 262-436-4116.

 

As discussed earlier in this post, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Supply Chain project is underway. The Federal Energy Regulatory Commission (FERC) released its Notice of Proposed Rulemaking (NOPR) in which it proposes to approve CIP-013-1, CIP-005-6, and CIP-010-3. FERC also proposes to change the implementation plan from 18 months to 12 months, giving applicable registered entities less time to demonstrate compliance.

In addition, the same NOPR proposes to direct NERC to further modify CIP Standards to require protections for Electronic Access Control and Monitoring Systems (EACMS), Physical Access Controls (PACs), and Protected Cyber Assets (PCAs). Perhaps new Standard language will simply apply the same supply chain controls to these new device types. 

The FERC NOPR can be found here. The next step in the process is to allow for comments and then issue the FERC Order to approve the new Standards, which starts the implementation timeline.

PCS has begun helping its clients write procedures to address new CIP Supply Chain requirements, including the following:

  • Process for the procurement of BES Cyber Systems to identify and assess cyber security risk to the Bulk Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and software; and (ii) transitions from one vendor to another vendor;
  • Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
  • Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
  • Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;
  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;
  • Coordination of controls for (i) vendor-initiated Interactive Remote Access, and (ii) system-to-system remote access with a vendor(s);
  • Review and obtain CIP Senior Manager or delegate approval of its supply chain cyber security risk management plan at least once every 15 calendar months;
  • Determining active vendor remote access sessions (including Interactive Remote Access and system-to-system remote access);
  • Disabling active vendor remote access (including Interactive Remote Access and system-to-system remote access);
  • Prior to a change of operating system / firmware, software, or security patches, and when the method to do so is available to the Responsible Entity from the software source: (i) verify the identity of the software source; and (ii) verify the integrity of the software obtained from the software source.

The missing CIP-012 standard has now arrived - at least in development form. CIP-001 (sabotage) was retired. CIP-002 through CIP-011 still exist as well as CIP-014. CIP-013 (supply chain) is under development, and now CIP-012 is in the form of draft one. Initial ballot and comments are due September 11, 2017.

Requirement 1 states: "The Responsible Entity shall develop one or more documented plan(s) to mitigate the risk of the unauthorized disclosure or modification of data used for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring while being transmitted between Control Centers. This excludes oral communications."

Controls can be one of the following:

  • Physically protecting the communication links transmitting the data;
  • Logically protecting the data during transmission; or
  • Using an equally effective method to mitigate the risk of unauthorized disclosure or modification of the data.

Requirement 1 also includes this note: "If the Responsible Entity does not have a Control Center or it does not transmit the type of data specified in Requirement R1 of CIP-012-1 between two Control Centers, the requirements in CIP-012-1 would not apply to that entity."

Requirement 2 is very simple, requiring entities to implement the above plan except during CIP Exceptional Circumstances.

Interestingly, this is the first CIP Standard to require controls for communications outside the Electronic Security Perimeter (ESP). Requirement 1 doesn't say between the Responsible Entity's Control Centers. It's between any Control Center - whether owned by the Responsible Entity or by another Responsible Entity. Therefore, this Standard will take more coordination with other entities than most CIP Standards. Entities will need to identify which Control Centers they communicate data with for Operational Planning Analysis, Real-time Assessments, and Real-time monitoring.

Operational Planning Analysis is defined by NERC as "An analysis of the expected system conditions for the next day’s operation. (That analysis may be performed either a day ahead or as much as 12 months ahead.) Expected system conditions include things such as load forecast(s), generation output levels, Interchange, and known system constraints (transmission facility outages, generator outages, equipment limitations, etc.)."

Real-time Assessments are defined by NERC as "An examination of existing and expected system conditions, conducted by collecting and reviewing immediately available data."

Real-time is defined by NERC as "Present time as opposed to future time. (From Interconnection Reliability Operating Limits standard.)"

The Implementation Plan for CIP-012-1 gives entities 12 months from approval.

Hurricane Harvey has revealed many things, not the least of which is the good that exists in humanity to rally to the aid of those impacted. Another item it has reminded us of is the impact of natural disasters on control centers. We wrote about flooding of the Oroville Dam previously and discussed the benefit of having geographically diverse BES Cyber Systems and control centers. However, most companies are not able to have their own geographically dispersed control centers because their territory is too small.

One possible solution is a reciprocal agreement with another company. You could make an agreement with another company that has a control center far enough away from yours that if there is a disaster you can use their control center or backup control center, and you agree to let them use yours if they experience a disaster. This solution is not simple, however. It takes setting up and coordination, such as setting up and maintaining your own servers or loading your operational control screens on their servers. It requires maintaining physical and electronic access lists. Also, reciprocal agreements are not required by NERC Standards. It's just an idea of something your company could explore in light of recent events.

Another idea is making sure technicians and operators who are needed during a disaster are able to and are willing to arrive at work. For the "able" aspect, an example would be if the planned disaster is a snow storm, do operators have a good snow vehicles at their home? For the "willing" aspect, consider how you would feel if your family wasn't taken care of and you were asked to come into work to help with a disaster. You would be hesitant, and even if you came into work your mind would be distracted. A possible solution is to identify key disaster personnel and ask them what they would need to have done for their family in order for them to feel good about leaving them. They may want to know their family has flashlights, enough food and water for X days, and all their kids made it home from school. Instead of having the operator or technician have to do all this on their own, your company could pre-assign disaster coordinators who would ensure flashlights, food, and water are at their home ahead of time. At the start of the disaster, the disaster coordinators would assure the operator they will handle everything for their family. The disaster coordinator would then coordinate with the family to ensure everyone was safe and had all the provisions they needed and then relay that information to the operator. This would allow technicians and operators to arrive at work quicker and do a better job knowing things were good at home. This system is also not required by NERC Standards. It's just an idea we can take from Hurricane Harvey.

If your company does implement controls above the requirements of NERC Standards, be sure to write about them in your procedures and RSAWs because Regional auditors will give you kudos for them at your next audit.

NERC CIP-002-5 is the starting point for determining which Cyber Assets need CIP protections. Entities are required to evaluate their Bulk Electric System (BES) assets according to Attachment 1. The attachment lists criteria for High, Medium, and Low BES Cyber Assets. Everything appears to be very straight forward, but what about Criteria 2.11? Does non-BES generation count towards the 1,500 megawatts (MW) threshold? NERC (unofficially) says it does.

Criteria 2.11 states: "Each Control Center or backup Control Center, not already included in High Impact Rating (H) above, used to perform the functional obligations of the Generator Operator for an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection."

The issue gets fuzzy in situations such as Control Centers that manage renewable generation because many solar and wind facilities do not have enough mega volt amps (MVA) to be BES facilities. The definition of BES generation is generation connected at at least 100 kilovolts (kV) with individual nameplate rating greater than 20 MVA or plant/facility aggregate nameplate rating greater than 75 MVA.

PCS has been taking the conservative approach that non-BES generation counts towards the 1,500 MW threshold. However, there has been some confusion throughout the industry. PCS had a recent phone conversation with a member of the CIP team at NERC regarding this topic. The member of NERC confirmed that non-BES generation counts and was surprised there was confusion about this. Unfortunately, the person at NERC declined to provide a written response to PCS' email, but based on the conversation with NERC, PCS suggests that entities that have Control Centers evaluate all generation within a single Interconnection, whether BES or non-BES, to see if the total is equal to or exceeding 1,500 MW.

Our Services