Two of the most common questions that current and prospective clients ask the CIP team at Proven Compliance Solutions Inc. (PCS) are, “When does my generation control facility become a Low Impact BCS Control Center?” and “When does my Low Impact BCS generation Control Center become a Medium Impact BCS Control Center?” Answers to both are fairly straight-forward and begin with an understanding of the definition of “Control Center”. Terms that are used in the North American Electric Reliability Corporation (NERC) Reliability Standards are defined in the NERC Glossary of Terms.
Control Center is defined as:
“One or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of:
1) a Reliability Coordinator,
2) a Balancing Authority,
3) a Transmission Operator for transmission Facilities at two or more locations, or
4) a Generator Operator for generation Facilities at two or more locations.”
The following steps provide an explanation of the method that PCS recommends for determining the impact rating of your generation control facility. A flow diagram of this process is also provided below.
Step 1: Determine if Generation Control Facility Meets the Definition of Control Center
If we focus strictly on the generation facet of the definition (assuming the control facility is not acting as a Balancing Authority or Reliability Coordinator), we can paraphrase it as follows: “One or more facilities hosting operating personnel that monitor and control the BES in real-time to perform the reliability tasks of a Generator Operator (GOP) for generation Facilities at two or more locations.” It’s important to note that the definition deliberately uses the phrase “perform the reliability tasks of a GOP” and not “registered as a GOP”. This is partially due to the fact that, unlike a generation or transmission Facility, a Control Center is not a registered NERC Facility with its own registered function type.
Reading the definition closely, we also note that a control facility doesn’t become a Control Center until it performs GOP functions for two or more BES generation Facilities. An organization that controls, for example, eighteen non-BES generation facilities and a single BES generation Facility would not qualify as a Control Center. Add a second BES generation Facility and bam, you have a Control Center.
Once we have determined that the control facility meets the Control Center definition, we turn to NERC Reliability Standard CIP-002-5.1a – Cyber Security – BES Cyber System Categorization for further guidance.
Step 2: Confirm Applicability to CIP-002-5.1a
Looking at section 4. Applicability listed under A. Introduction of the CIP-002 Standard, we find Generator Operator in the list of qualifying functional entities (see 4.1.3.). Continuing to section 4.2 Facilities, we find that the requirements of the CIP-002 Standard are applicable to All BES Facilities (see 4.2.2.). The owners/operators of those Facilities that qualify under the applicability section are referred to as the “Responsible Entity” throughout the remainder of the Standard.
Step 3: Confirm the Asset to be Considered
Moving on to section B. Requirements and Measures of the Standard, R1 indicates that each Responsible Entity shall implement a process that considers each of the assets contained in subsections i. – vi. of the Requirement. As it turns out, Control Centers and backup Control Centers are listed as the first subsection bullet.
Step 4: Apply the CIP-002-5.1a Attachment 1 Criteria to Determine Impact Rating
The next step is to apply the criteria listed in CIP-002-5.1a Attachment 1 to determine the Impact Rating of the Control Center or backup Control Center as either a High, Medium, or Low Impact BES Cyber System (BCS).
The High Impact Rating section identifies Control Centers that function as Reliability Coordinators, large Balancing Authorities, certain Transmission Operators, and Generator Operators for one or more generation Facilities that have been identified as Medium Impact BCS. Assuming none of these are true for the newly classified Control Center, we move on to the Medium Impact Rating section.
In the Medium Impact Rating section we find only one criterion that could make the Control Center Medium Impact BCS, that being 2.11 which states (paraphrased) that Control Centers that perform the functional obligations of the GOP for 1500 MW in a single Interconnection must be classified as Medium Impact BCS. We must now add up the aggregate highest rated net Real Power capability of the preceding 12 calendar months controlled by the Control Center for each Interconnection. Notice that there is no reference to including only BES generation Facilities in the count, so Non-BES generation facilities must be included in the totals for each Interconnection.
· At or Exceed 1500 MW in a single Interconnection and you have a Medium Impact Control Center.
· Stay under 1500 MW and your Control Center is classified as Low Impact BCS under the Low Impact Rating section criterion 3.1.
Step 5: Update the MW Total for Each Interconnection on a Monthly Basis
It’s important that Generator Operators who are rapidly expanding their generator fleet perform these calculations on a regular basis. Moving from a Low Impact CIP compliance program to a Medium Impact CIP compliance program is a huge lift and takes a great deal of effort and time to implement correctly.
Flow Diagram for Determining Impact Rating of Generation Control Facility
The PCS CIP team has extensive experience in assisting our clients with building their CIP compliance programs for newly classified Low Impact Control Centers, as well as helping clients move their Control Center CIP compliance program to a Medium Impact level as they grow their generation fleet. For more information on how we can assist your organization with determining Impact Ratings, writing or assessing your CIP compliance program, or other NERC Reliability Standards compliance needs, contact Dale Zahn at dzahn@provencompliance.com or (262) 436-4116. To learn more about Proven Compliance Solutions Inc., visit our website at www.provencompliance.com.