Data breaches and information leaks are all over the headlines and as they garner more and more attention, it’s certainly not the kind of publicity any company is looking to receive.  From banking to healthcare, data in the wrong hands can be detrimental to the individuals affected by the breach, and potentially damaging to the breached entity and possibly even worse.  Equally as important as limiting who has access to your critical and sensitive information as specified in CIP-003 R5, is controlling how that data is stored and secured.

In today’s world of data accessibility and portability, it should come as little surprise that so many data leaks occur.  With the ease of copying files to a USB or other portable media device and taking them anywhere without any detection, the question begs: “How can I protect my most sensitive information AND protect the access to all of my critical data that I’ve worked so hard to categorize in my CIP-003 R4 Information Protection Program?”  That’s where data encryption comes into focus.

As a point of reference, encryption, as defined within the greater realm of cryptography, can be described as applying a process (algorithm) to alter information (plaintext data) to render that data unreadable (cipher) for everyone except those who have specific knowledge (key).  The goal of encryption is ultimately to maintain the confidentiality of your confidential data, whether in transit, either across disparate networks (internet/e-mail), or information at rest (internal file servers, laptops, thumb drives).  There are many ways to accomplish this task, and while we won’t get into specific details of any one solution or technological approach here, an excellent reference and source of knowledge on the technical details listed as the Cryptographic Toolkit can be found on the NIST (National Institute of Standards and Technology) website at http://csrc.nist.gov/groups/ST/toolkit/index.html.

Adopting and implementing an encryption technology approach has been criticized as being very complicated to implement and maintain, as well as caring a high price tag.  What many companies should weigh against complexity of implementation are the consequences of having their sensitive information compromised, including but not limited to industry reputation damage, fiscal loss, shareholder confidence loss, and all negative publicity associated with this unwanted attention.

Your data and it’s protection are just one of the essential pieces to maintaining a successful Internal Compliance Program and should always be considered within the scope of your all encompassing efforts.

We live in a world of fast-paced technology and everyone is a target for identity theft.  We protect our Nation’s critical infrastructure, so why not learn to protect your own valuable assets.

RFID is technology that enables the wireless transmission of electronic data, using radio waves.  This technology is not new, but has become more prevalent in our credit cards and passports because of its convenience.  With RFID technology, you can pay for products or have your passport processed through contactless methods (like scanners in stores and retail locations).  The RFID chip serves the same purpose as a bar code or a magnetic strip on the back of a credit card or ATM card; it provides a unique identifier for that object and may contain personal or product specific information, which, in turn, greatly increases the speed of the transaction.

At this point, I imagine you’re thinking, “So how is this any different from my current risk of identity theft?”  The risk with RFID is that you could be digitally pick-pocketed by someone carrying a basic RFID reader that can be purchased for as little as $9 on the Internet.  Credit card companies are working on sophisticated encryption techniques to hinder digital thieves and make it harder for them to obtain access, but you need to do your part too.  Make sure you know whether or not your credit cards and passports contain this special feature.  Identifying marks can be seen as PayPass, ExpressPass, SpeedPass, or special characters identifying RFID.

Technology has its advantages, but let’s make sure we don’t give that advantage away.  Protect yourself.  Purchase special sleeves that cover your card and prohibit data transfer while inside the sleeve.  And, by all means, always know where your cards are.

On November 18, 2010, FERC accepted the NERC Board of Trustees approved revisions proposed in Project 2006-03 System Restoration and Blackstart. However there were questions raised by the Commission that will need to be addressed prior to approval which is expected in early 2011.

  • EOP-005-2 contains the following major changes which will be of interest to the Industry: Requirement for written agreements between a GOP with a Blackstart Resource and the TOP.
  • GOP’s with Blackstart Resources must have documented procedures to energize a bus.
  • GOP’s with Blackstart Resources must provide training of operations personnel on Blackstart.
  • Distribution Providers that have been included in the TOP plans are now required to provide training on “unique tasks” assigned to them in the TOP plan.
  • GOP’s with Blackstart Resources are required to participate in drills if requested by the RC.
  • Additional detail in the Blackstart plan study methodology must be included to account for dynamic response during restoration.
  • Plan update requirements when there are system topology changes (planned or unplanned) that affect the plan.

 Of current significance to the industry is discussion and FERC inquiry of comment on the following:

  • “Unique task” identification and the meaning of the term.
  • Actions addressing telecommunications systems and overall readiness in restoration plans.
  • Roles of the RC and the TOP with regard to databases and coordination of Blackstart plans.
  • Collecting data regarding restoration exercises and drills and simulations in databases.

Project 2006-03 is still posted at NERC Standards under review.

If you’d like to read the November 18 Blackstart project NOPR, it’s posted at: http://www.ferc.gov/whats-new/comm-meet/2010/111810/E-9.pdf

The history of the SDT work: http://www.nerc.com/filez/standards/System_Restoration_Blackstart.html


And a related story:

The Holiday Power Outage

I recall a Christmas Eve in Milwaukee in the early 1960’s when a winter blast put a damper on the celebrations that my family enjoyed on the eve of Christmas.  The wind was howling and the snow was blowing like it does in those major winter “Nor’easters” in Wisconsin.  The cold wind and the snow are simply part of winter life along Lake Michigan and electricity is appreciated there.

At about 8 o’clock the power went out, and my mother went to light the candles and a couple of oil lamps that she might have kept to remind her of the days on the farm or was it her form of Blackout preparation.

For a while we enjoyed the evening with the candles and the oil lamps lit and sharing Christmas traditions but as the power remained out the family discussions went in a different direction, “How long do you think it will be?”…“Who is going to fix it in this weather?”…What do you mean the furnace does not run without electricity? And more…

So the discussions changed to how the electric grid worked, (well at least from my families perspective), and when we could expect the power to return.  My oldest brother was, (I was about nine and in my mind and his) an expert on everything.  He was a private pilot, an expert hunter (well he did get a deer that fall), he raced cars (sometimes even legally), and so I thought, and perhaps he did too that he knew more than anyone about everything!

He talked about the linemen that would get a call and venture out in this storm to fix whatever they needed to do to get our Christmas Eve lights on.  He expounded on attributes of 110 and 220 and high voltage lines, debated the merits of DC vs. AC and the history of Tesla and Edison and so on.  He obviously knew everything, and along with my father they could handle anything and protect us from this wintery onslaught, and there were no worries.

Around midnight the power came on, the power company had fixed whatever had failed and our Christmas Eve ended in a warm house.

There was, though, something about this power grid thing that may have stuck with me from that Christmas Eve.

In 1990 I got involved with blackout planning with the Blackout plans for Wisconsin Power & Light and many more since.  I realize that families, friends and businesses rely on us to make the power come on, and I do often think back on that Christmas Eve.  Families and friends relying first on those of us entrusted with the power system to keep the lights on, and in last resort having a plan to get it going again if it fails.

Blackout preparation is like insurance – you for the most of us simply do it, and hope you never need it.  There are no Tony Awards or Oscars, no presidential citations, glamour, or prestige, few want to know about it until a blackout, and then the questions and interest diminish in a few days.  There is, however, a satisfaction in knowing that you have a plan, the System Operators are trained to make it work, and you can execute it if needed, even on a Christmas Eve. Just like the Wisconsin Electric line crew and the Transmission and Distribution System Operators did during that local event on an early 60’s Christmas Eve in Milwaukee.

Then, of course, there may be one or two utilities that would not prepare for the blackout, (it has most unfortunately occurred), those that may not believe that it will ever happen, or it costs too much or there is no need.  Perhaps because of these few we all enjoy, and some appreciate the System Restoration and Blackout Reliability Standards.

So…to the Operators, and those that go out on those stormy nights and holidays, for all you do to first keep the lights on, and when all fails to get the circuit, the substation, the city, or the whole grid restored…



Francis served on the SDT for project 2006-03

Compliance is an integral part of everyone’s day-to-day activities.  Whether it be Operations personnel or those in Management, each is responsible for incorporating all aspects of compliance activities, documentation, training, and reporting into their daily operations.  That’s where an Internal Compliance Program comes into play…

An ICP is, in essence, another Procedure developed to detect and prevent company violations of NERC Electric Reliability Standards.  The Federal Energy Regulatory Commission (FERC) has stated on numerous occasions that it expects to see a "culture of compliance" in place and in force for each registered entity.

Although Internal Compliance Programs are not mandatory, FERC has been consistent in their message that if a company acts aggressively to adopt, foster, and maintain an effective corporate culture of compliance, and has in place rigorous procedures and processes that provide effective accountability for compliance, but a violation nonetheless occurs, the Commission may provide a significant reduction in, or even in some cases the elimination of, the civil penalty that otherwise would be imposed.  This has been noted in several FERC policy statements that I’ve referenced and linked for you at the end of this article.

Factors that FERC is looking for in an ICP are specified in their Revised Policy Statement on Enforcement.  Along with this, the Regional Compliance Implementation Group (a working group overseen by NERC’s Regional Entity Management Group) developed a Policy Statement to create a Compliance Guidance Document that outlines attributes of a good compliance program.

Some finer points from both of these sources include the following:

  • Have a well-documented Internal Compliance Program (ICP).
  • Disseminate the ICP throughout the entity.
  • Name and staff an ICP oversight position.
  • The ICP oversight position is supervised at a high level in the entity.
  • The ICP oversight position should have independent access to the CEO and/or Board of Directors.
  • The ICP is operated and managed so as to be independent of those responsible for compliance with the Reliability Standards.
  • The ICP has the support and participation of senior management (Officer Level).
  • The entity regularly review and modify its ICP.
  • The ICP includes appropriate and sufficient training for all the staff.
  • The ICP includes formal, internal self-auditing for compliance with all applicable Reliability Standards on a set periodic basis.
  • The ICP includes disciplinary action for employees involved in violations of the Reliability Standards, if appropriate.
  • The ICP has internal controls including self-assessment and self-enforcement to prevent reoccurrence of Reliability Standard violations.
  • The ICP provides sufficient funding for the administration of compliance programs by the Compliance Officer.
  • The ICP promotes compliance by identifying measurable performance targets.
  • The ICP ties regulatory compliance to personnel assessments and compensation, including compensation of management.
  • The ICP provides for disciplinary consequences for infractions of Commission requirements.
  • The ICP provides frequent mandatory training programs, including relevant ‘real world’ examples and a list of prohibited activities.
  • Implement an internal Hotline through which personnel may anonymously report suspected compliance issues.
  • Implement a comprehensive compliance audit program, including the tracking and review of any incidents of noncompliance, with submission of the results to senior management and the Board.

It may seem like a huge undertaking, but can be well worth the effort.  Take some time and develop a comprehensive Internal Compliance Program (ICP), it’s good business practice and can help mitigate a penalty.  If you need help, let me know, it’s one of the great services my team provides!

For additional reading regarding the benefits of an ICP, go to:

FERC Revised Policy Statement on Enforcement – Docket No. PL08-3-000 (May 15, 2008)
FERC Policy Statement on Compliance – Docket No. PL-09-1-000 (Oct 16, 2008)
FERC Revised Policy Statement on Penalty Guidelines – Docket No. PL10-4-000 (Sep 17, 2010)

Hello everyone and welcome to our BLOG!  My name is Crystal Musselman and I have over 15 years of experience in managing compliance programs.  In 2007, after experiencing the first reliability standards audit in the WECC region following FERC’s Order 693, I set a personal goal to have all my counterpart utilities become 100 percent compliant in regards to Reliability Compliance through the sharing of information.  I initially helped create the Western Interconnection Compliance Forum (WICF) as a forum to share experiences and technical knowledge and now that I’m in the consulting business, hope this BLOG can help further my desire to continue to help the industry.  Along with my involvement in a 693 audit,  I have assisted many companies in mock audits, and my PCS colleagues and I keep up with the latest happenings in the industry.  I have three masters degrees; Engineering & Technology, Business, and Organizational Behavior.  As you can probably tell, I crave learning and enjoy the challenge that reliability compliance brings to all of us, so I hope my blog  will be of value to you.  Stay tuned for many more compliance-related articles from both myself and my teammates at PCS.

Our Services