PCS BLOG

Having been on all three sides of preparing for a NERC / Regional audit (while employed by TVA, working for NERC, and finally working at PCS), it is my opinion that the typical utility NERC Coordinator or manager has a HUGE job ahead of them.  PCS has worked with large utilities as well as fairly small, limited scope entities (such as a GO/GOP or DP/LSE), and regardless of the size, the job of coordinating all the required responses and submittals can be at best daunting.  There are three or four roles that the utility coordinator must play, and play well for an audit to be successfully completed in such a manner as to not interfere from the real business of generating, transmitting, and distributing electric power.  These consist of coaching skills, judgment skills, logistics skills, and in some instances, expert skills for any or all Reliability Standards.  The following is a synopsis of some of these activities (and no, this is not intended as an exhaustive list).

For instance, it is not an unusual circumstance that the coordinator is also the Head Coach for the utility Subject Matter Experts (SMEs), both in preparing data and RSAW responses as well as in preparing for interviews and responding to onsite (high pressure) questions.  For many, it is their ability to do this very critical job that has landed them with this role in the first place!  During an onsite event (and even some offsite audits), the coach often has to help the SME deal with the stress of being selected to sit in the ‘hot seat’ of the audit – whether as an interviewee or just to clarify questions.  These guys and gals are prepared and called upon to make quick decisions regarding system reliability (“up to and including the shedding of firm load”), and often are not equally prepared for the intense scrutiny of the auditor.

The coordinator is also the Internal Judge, in many cases, as to whether the evidence prepared by the SME is sufficient to satisfy compliance without leading the auditor to ‘other areas’ for discussion.  A good friend of mine referred to inadequate data and vague answers as ‘chum’ for the auditor – they can smell it miles away and are always attracted to what they may find.  Dinner, perhaps?   The coordinator also must try to make sure the evidence presented does not throw a fellow SME or neighboring utility ‘under the bus’.  Finding that right mixture of positivity and data can be a challenge, particularly where a lot of job evolutions take place.  (How many phone conversations does your operator take place in each day that could be called into evidence?)

Another role that frequently comes into play is that of Master Logistician.  Logistics of where the audit team lodges during the event and what they are fed.  Logistics of how many meeting rooms and when they are needed.  (We know of one instance where the utility, with limited resources in this area, actually rented a portable classroom for a Regional audit event.)  And most importantly, keeping track of the SMEs and ensuring their availability at all reasonable hours to help the audit team understand the entity submittals and face test questions.

Smaller entities will understand that often the coordinator is also the de facto Subject Matter Expert for many or even all of the applicable Reliability Standards.  Many companies, in their drive toward competitiveness, rely heavily on the coordinator to also provide all needed input to the audit team during the audit event, whether on- or off-site, crafting all RSAW responses and gathering all evidence.  This makes the ‘one bus wonder’ a reality – what are the consequences of this person getting waylaid for any reason?  Can anyone step in and fill those shoes?

PCS offers a ‘hats off’ to these utility coordinators, regardless of their title – most of us have been in your position at one time or another.  We know the long hours, protracted discussions, head scratching from ‘interesting’ audit questions, and just the plain old stress that comes with your job.  It is always our desire to lessen the burdens on any of our clients, and we pay particular attention to the coordinator in all of their duties.  Their role is so very crucial, providing often the first impression of their company to the audit team – meeting them in the lobby and showing them to the first session.  If you haven’t done so, we suggest you engage your audit coordinator and offer your assistance.  You would be amazed how much goodwill and boosted moral that simple act will produce.

Keep up the Good Fight!

If the Enforcement Actions haven’t gotten your attention yet, they certainly should be. To date, over $41.5 million in penalties have been assessed to NERC Registered Entities.

According to NERC, their statistics indicate there are over 3,300 active possible compliance issues still in process and over 200 coming in each month.

In an effort to reduce workload, in 2010 NERC introduced the Administrative Citation, which was an abbreviated route to move potential violations through the process. Although this helped, it was not making a big enough dent in NERC’s backlog.

On September 30, 2011, NERC filed a petition with FERC (RC11-6-000) requesting approval of a new enforcement mechanism for dealing with possible violations that pose a lesser risk to the BPS. This filing also gave us our latest acronym in the reliability compliance world, the “FFT.” The 90-page filing, titled Petition Requesting Approval of New Enforcement Mechanisms and Submittal of Initial Informational Filing Regarding NERC’s Efforts to Refocus Implementation of Its Compliance Monitoring and Enforcement Program, describes NERC’s decision to shift how it deals with lesser risk issues. Possible violations in this lesser risk category that have been corrected will be presented as Remediated Issues in a Find, Fix, Track and Report (FFT) spreadsheet format that will be submitted to FERC in an informational filing on a monthly basis. The filing also indicates that more serious risk violations will be submitted to FERC in a new Spreadsheet Notice of Penalty (NOP) or Full NOP, as warranted. So, commencing with this filing, NERC will have three tracks for dealing with possible compliance matters: NOPs, FFTs, and dismissals.

To date, issues proposed for the FFT mechanism do not carry a penalty, unlike the Administrative Citations or Violations that can be issued a zero ($0) penalty. Keep in mind, though, that FFTs will be put on a Registered Entity’s record for tracking of future violations.

You might be thinking, “How do we know if this is going to make a difference?” NERC has committed to reporting back to the Commission and industry stakeholders at six months and one year following its initial filing on experience gained and the results from implementation of the new mechanisms and tools. Let’s hope that FERC approves this petition. It seems to be reasonable and will allow NERC and the Regions to focus on the more serious violations going forward.

That’s what it’s all about – increasing reliability!

You may have heard the phrase, “It’s better to have it and not need it, than need it and not have it.”  Certainly, if you’ve ever filed an insurance claim, and assuming your coverage was sufficient, you were probably very glad to have that coverage to take care of the cost of repairs, replacement, and perhaps offset any liability.  Think about all the commercials and advertisements you’ve seen for services that offer personal protection against identity theft.  This is yet another type of insurance.  One that is designed to protect you from online data theft and misappropriation.

Considering the imperfect world we live in, where there are no guarantees, and with computer networks being vulnerable to both external and internal compromises, the potential cost of dealing with a security breach and its subsequent cleanup can be incredibly high.  In fact, according to research by the Computer Security Institute, they assert that on average a company loses $234,000 for each security breach that occurs.

Generally speaking, standard property and general business liability insurances do not properly address the issues or damaging results that occur from a cyber attack on your network infrastructure.  Enter what is called “specialized cyber-risk coverage.”

The goal of an insurance policy that addresses cyber security exposure is to transfer that risk from your company to an insurance company.  That seems quite obvious.  Insurance carriers may offer discounts and other incentives for your diligence in protecting your network (think good student discount).  The other positive benefit is that it raises awareness around security measures that can help protect your company.  So in brief, let’s examine the types of coverage that can be obtained.  The following information was acquired directly from the Insurance Information Institute (www.iii.org) website and does an excellent job of explaining the different types of available coverage.

  • Loss/Corruption of Data – covers damage to or destruction of valuable information assets as a result of viruses, malicious code, and Trojan horses.

  • Business Interruption – covers loss of business income as a result of an attack on a company's network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expense, forensic expenses, and dependent business interruption.

  • Liability – covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:

o   Breach of privacy due to theft of data (such as credit cards, financial, or health related data);

o   Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties;

o   Failure of security which causes network systems to be unavailable to third parties,

o   Rendering of Internet Professional Services; and

o   Allegations of copyright or trademark infringement, libel, slander, defamation or other "media" activities in the company's website.

  • Cyber Extortion – covers the "settlement" of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.

  • Public Relations – covers those public relations costs associated with a cyber attack and restoring of public confidence.

  • Criminal Rewards – covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of the cyber-criminal who attacked the company's computer systems.

  • Cyber-Terrorism – covers those terrorist acts covered by the Terrorism Risk Insurance Act of 2002 and, in some cases, may be further extended to terrorist acts beyond those contemplated in the Act.

  • Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

Premiums will vary based on the size of your organization, and it may be worth taking a look at as the number of vulnerabilities and their potential for damaging impact continues to rise.  In this day and age, it has become more of a matter of when than a matter of if your organization will suffer a breach of some type.  It’s always best to be prepared and informed when it comes to risk management.

The NERC CIP Standards Drafting Team recently presented a webinar to the industry on the current status of the CIP Version 5 Standards.  While there are many changes from the current version of the CIP Standards and what was presented at the last Drafting Team workshop, we will focus in this post on the concept of ‘impact status’ and the potential effects on Asset Owners.  It is important to note that the industry is a long way from final FERC approval for CIP Version 5, so some of these criteria may change before impacting Responsible Entities.

With the approval of CIP-002 Version 4, Responsible Entities will no longer provide their own criteria to categorize assets as Critical or non-critical.  Instead, NERC has provided a “bright line” set of criteria that must be used to determine criticality.  CIP-002 Version 5 builds on this concept with additional granularity and assigns assets compliance efforts and requirements based on the asset’s potential impact on the Bulk Electric System (BES).

High Impact – The focus for this category of assets is on large control centers and the possible widespread impact they could have on the BES.  Asset owners with large control center assets will have to conform to all of the CIP-002 through CIP-011 Standards and will have additional requirements specific to the additional risk they present to the BES (mostly related to remote access).  Control Center and Backup Control Center Assets are currently proposed to be High Impact if they meet any of the following criteria:

  • Reliability Coordinator function
  • Balancing Authority function (if it manages at least one medium impact Critical Asset)
  • Transmission Operator function that controls at least one medium impact Critical Asset
  • Control generation equal to or exceeding 1500 MW in a single Interconnection

The vast majority of these assets are already characterized as Critical Assets, so the additional burden of the CIP Version 5 changes should be minimal.  Most asset owners can afford to wait until Version 5 is approved by FERC before beginning to plan for required changes.

Medium Impact – The focus for this category of assets is on all of the other systems that would be captured under the NERC BOT approved CIP-002 Version 4 criteria (including smaller control centers).  Asset owners with assets that meet these criteria will have to conform to all of the CIP-002 through CIP-011 Standards, with the exception of the additional High Impact Control Center requirements.  While the entire list of criteria to apply is too long to repeat here, examples include (paraphrased for brevity):

  • Groups of generating units at a single plant location exceeding 1500 MW in a single Interconnection
  • Blackstart Resources identified in the TO’s restoration plan
  • Transmission Facilities operated at 500 kV or higher
  • Transmission Facilities operated at 300 kV or higher with stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations
  • Transmission Facilities that provide interconnections to Medium Impact generation facilities.

Many of these assets are already characterized by their owners as Critical Assets, so the additional burden of the CIP Version 5 Standards for these assets should be minimal.  Asset owners who do not have an existing CIP compliance program in place and will be declaring new Critical Assets under Version 4 should begin planning and budgeting now for the difficult and time-consuming creation of a CIP compliance program.  Assets owners who already have Critical Assets under CIP Version 3 with an existing CIP compliance program will have less effort in preparing any new assets for compliance, but must also plan on a shorter implementation schedule.

Low Impact – This category will capture all other BES cyber systems below the Version 4 criteria.  Low impact assets will be required to have the following:

  • Security Policy
  • Security Awareness
  • Incident Response
  • Boundary Protection

The CIP Standards Drafting Team is proposing a fairly long Version 5 implementation timeline for low impact assets; however, Responsible Entities with a large number of assets in this category should already be thinking about an enterprise-wide set of policies and practices around the proposed topics listed above.  NERC will be expecting Responsible Entities with low impact assets to not only have their policies in place by the compliance deadline, but to also have operationally implemented these policies across all of their qualifying assets.  This could potentially be a very time-consuming project for Responsible Entities with a large number of assets.

Mr. Gerry Cauley, President & CEO of NERC, explained at a November 18, 2010 FERC technical conference that there were over 3,000 violations pending and an average of 30 new violations coming in each week.

On February 1, 2011, NERC filed a new form of Notice of Penalty with FERC to help expedite the backlog of alleged violations of the mandatory electric Reliability Standards.  This process, as NERC describes it, will be like receiving a ‘parking ticket.’  Violations of minimal risk to the bulk-power system will be included in this process.

Hopefully, this will help with the tremendous backlog and clear up some questions entities have regarding their compliance.

If you have not already seen, many new Enforcement Actions were posted on the NERC Website on January 31, 2011. To view the files, go to http://www.nerc.com/filez/enforcement/index.html.

Our Services