July 31, 2018
By Michael Kuser, Rory D. Sweeney, Amanda Durish Cook and Rich Heidorn Jr.
WASHINGTON — FERC Commissioner Cheryl LaFleur, who has been attending the commission’s annual reliability technical conference since her appointment in 2014, always opens the meeting by citing something special about each year’s gathering.
At Tuesday’s conference, LaFleur noted it has been 50 years since NERC was formed following the 1965 Northeast blackout. “I was practicing piano when the lights went out in Boston,” she recalled.
Issues cited in past years — including cybersecurity and improving NERC’s efficiency — were joined in this year’s hearing by concerns over inverter-based resources, the wind-down of Peak Reliability and the impact of gas shortages on resiliency. Commissioner Neil Chatterjee chaired the session for Chairman Kevin McIntyre, who was unable to attend. Chatterjee was joined by LaFleur and Commissioners Robert Powelson and Richard Glick (AD18-11).
NERC CEO Debuts
It was the FERC debut for new NERC CEO Jim Robb, who joined the organization four months ago from the Western Electricity Coordinating Council. Robb said his initial focus has been implementing the risk-based philosophy that NERC and the Regional Entities (REs) established over the last several years “and really embedding that in all the activities we undertake.”
A second priority, he said, is “consistent implementation” of NERC’s programs across the regions. “It’s clearly a challenge. It’s clearly an issue that industry wants to see us get better at.” He vowed to focus on the big issues and “try not to be distracted by the trivial.”
Time for a Gas Standard?
Robb also described his organization’s work on fuel assurance, the subject of a NERC technical conference in early July. Robb said it is time to shift from recognizing the challenges caused by the increasing reliance on natural gas and identify actions that can “synch” the operating practices of the gas and electric industries to make them “compatible and harmonious.”
NERC’s reports, such as its November 2017 special reliability assessment on risks to the grid from severe gas disruptions, are one tool, he said. (See NERC: Natural Gas Dependence Alters Reliability Planning.)
“We’re not close-minded to the possibility of a suite of standards, if indeed they’re required. I think at this point in time we haven’t made that leap that we think we need to go to the step of creating a fuel-specific standard — that we can address this through some of the existing processes that we have,” Robb said. “But it’s clear that industry wants more guidance around what they should be studying and what sort of corrective actions they should be contemplating.”
That was exactly the ask of Peter Brandien, ISO-NE’svice president of system operations. “It would be helpful for us if there was some sort of guideline or something agreed upon by the industry on how to look at energy security and what are the attributes or the pass/fail criteria you should be looking at,” he said.
Cybersecurity Rules for Pipelines?
Glick asked witnesses whether there are sufficient cybersecurity rules for gas pipelines. In June, Glick and Chatterjee penned a joint op-ed calling for mandatory reliability standards for natural gas pipelines like those FERC and NERC enforce on the grid. They noted that Transportation Security Administration has only a half-dozen employees overseeing pipeline security and relies on voluntary cybersecurity standards.
Berkshire Hathaway Energy CEO William Fehrman, who testified for the Edison Electric Institute (EEI), said NERC’s Critical Infrastructure Protection (CIP) standards “were very effective in developing a culture of security” in the industry.
“I do think that similar approaches should be made on gas pipelines. Whether or not there needs to be a standard I think is debatable, but I certainly believe that a similar focus on security and a culture of defensive postures on gas pipelines is appropriate.”
He added, “When we look through our assessments of pipelines, I would say that the vast majority of operators are already well beyond what would be a similar CIP standard. But, nonetheless, there is a good opportunity for further discussion on that matter.”
“I don’t have nearly as much visibility into the mechanics of how the pipeline systems actually operate,” said Robb.
“I’m not in a position to say whether or not the TSA … approach is adequate or not.”
Testifying later, independent consultant Alison Silverstein pointed out that no one from the gas industry was invited to appear on any of the four panels.
Silverstein also challenged the focus on fuel security, saying fuel shortages account for only a tiny portion of outage events. “We have a grid that some of the pieces on it are 70, 100 years old,” Silverstein said. “Today we’re built for Ozzy and Harriet weather, and we’re facing Mad Max in terms of the magnitude of threats from extreme weather.”
She also urged a focus on reliability measures with proven benefits, “like tree-trimming, the gift that keeps on giving, every season.”
When to Press
LaFleur asked when FERC should press NERC and the industry on new standards, citing a “conservatism” built into NERC’s industry voting mechanism. “Part of our job is to be annoying and push when there’s something” that needs to be addressed, she said citing FERC’s directives on physical security and geomagnetic disturbances.
“That’s a great question,” Robb responded. “I wish I had a crisp answer to it, but I don’t …. I think there’s a little bit of ‘you’ll know it when you see it’ embedded in here.”
Tim Gallagher, CEO of RE ReliabilityFirst, said the answer depends on the pervasiveness and imminence of the threat. “Standards are not in my mind the ideal way to respond to emerging or potential threats. Sometimes the threat or the risk can be addressed quite well outside of the standards process,” he said.
Gallagher cited NERC’s response to the widespread generation failures during the 2014 polar vortex. Afterward, NERC made site visits to willing generators and suggested corrective measures.
“If we had gone down the standards path in that case,” he said, “we would not have been prepared for the next winter. Taking this more aggressive, non-standards approach, we were able to elevate performance — along with working with our RTOs and improvements they made — and the voluntary cooperation of the industry to have much better performance.”
Steven Naumann, Exelon’s vice president of transmission and NERC policy, said the time-consuming standards process is especially ill-suited for responding to cyber threats. “The threat is going to change. We’re dealing with intelligent adversaries … so if we close one door they’re going to look for another.”
RC Function in West
LaFleur asked what FERC should be concerned about regarding Peak Reliability’s plan to cede its role as the Western Interconnection’s reliability coordinator to CAISO and perhaps others.
“The thing to remember about the Western Interconnection is it really works as one integrated machine,” said Robb, noting that radially-connected Alberta is an exception. “Having a unified reliability coordinator overseeing that system was very beneficial. One of the issues we deal with in the West is that a problem in the Northwest can manifest itself in New Mexico very, very quickly. So, I think the most important thing, as we shift to a multi-reliability coordinator system in the West, is that the seams agreements and operating protocols between them really recreate that wide area view for the entire interconnection. The most important thing that can happen right now is for the TOPs [transmission operators] and BAs [balancing authorities] in the West to declare where they are going to go so that we know where the seams are.”
Commissioner Glick asked how CAISO was going to address concerns he’s heard from some entities in the West that CAISO’s role in operating the markets and being the RC could lead to conflicts of interest — an issue that dogged SPP in the past.
“RC services are driven by compliance standards. They’re operational and engineering in nature,” responded Eric Schmitt, CAISO’s vice president of operations. He said CAISO asked potential customers to help it create the framework for the new function.
“We think it honors independence and separation between our … BA reliability function and markets and RC services. Organizationally and process-wise, we’re creating the kind of separation that the customers would like to see. Yes, there’s more discussion to be had around that as we go forward, but we think that was a good start.”
Standardizing Inverter Configurations
CAISO’s Schmitt also called for standardization of the configuration of inverters on renewable generation, citing the ISO’s problem with utility-scale solar tripping offline. (See Solar Inverter Problem Leads CAISO to Boost Reserves.)
“Nobody ever told the inverter owners how to program them,” said Robb. “The good news is industry has been very responsive. I think we’ve solved the problems that we know of. We may find others.”
Robb said NERC expects to begin work in August on two Standard Authorization Requests (SARs) on inverters.
Don’t Attempt to Control the Future
Panelists in the conference’s third session looked to the future and urged the commission not to attempt to control what it looks like.
“I think the way we’ve been thinking about essential reliability services is right on point,” said John Moura, NERC’s director of reliability assessment and system analysis. He cited several examples of recent grid-level issues, such as frequency response, that have been addressed with interaction between NERC and FERC.
Quanta Technology President Damir Novosel, who appeared on behalf of the IEEE Power & Energy Society, said the key is “knowing what we want to accomplish through [performance] standards, then [having] the market that will value what [we] want to accomplish.”
Speaking for the Large Public Power Council, ElectriCities of North Carolina CEO Roy Jones urged the commission to ensure that any resource that can provide the necessary services has access to the market to do so. He called for driving the standardization of storage resources further upstream to manufacturers, where “it’s more efficient to work on it there once so that everything coming down the assembly line has that standard.”
Wabash Valley Power Association CEO Jay Bartlett, who appeared on behalf of the National Rural Electric Cooperative Association, said regulators should first determine the right information to know about new equipment on the system so “that we can effectively model it and ensure that we don’t’ spend good money after bad, trying to cover parameters that we can’t model with reserves.”
Nicholas Miller, a principal at HickoryLedge LLC, called for standards and market signals that are “outcome-based, not enabling-based,” because “there’s a lot more knobs that can be turned with inverted-based resources than with synchronous machines.”
Peter Gregg, CEO of Ontario’s Independent Electricity System Operator, said managing data is essential for the future.
“If we think about how our systems are becoming more complex, they are only going to become more complex,” he said. “I think our challenge is, how do we better leverage the data that we’re creating … how to actually access, interpret, analyze and use that data.”
On the final panel, which focused on cybersecurity, NERC Senior Director Bill Lawrence discussed NERC’s plan to expand its Cybersecurity Risk Information Sharing Program (CRISP) to improve information sharing.
“Right now, CRISP covers well over 75% of the meters in the United States …. We have a very good sample set of what’s going in and out of IT networks,” Lawrence said.
But information sharing methods are still limited, he said.
“Whenever we start talking about … automated information sharing, I like to throw ‘HV’ in front of that ― human verified. Right now, we don’t have the trust on any information shared to be able to apply directly to production systems without awareness of the consequences it might have. So, we don’t have machine-to-machine yet,” said Lawrence, adding that the Department of Energy National Laboratories and federal research and development programs are working on trust models “to separate the wheat from the chaff.”
DOE’s Carol Hawk said the National Laboratories are also looking into “containerizing” power system applications so that each is isolated with a decreased chance of being compromised.
Hawk said cybersecurity staff could use the operational nature of the industry itself to protect against attacks. “Here’s an example: Each component in [a] system is designed to perform a very specific, limited function. We have developed technology that will allow the system to deny by default any unexpected cyber activity …. If it’s not expected, don’t allow it,” she explained. Hawk said with the system effectively locked down by only allowing its intended function, it “shrinks the cyber attack surface.” She added that protective relays could use modeling to analyze within four milliseconds whether a command sent by an adversary would destabilize the grid.
“So I see a bright future … because we can use characteristics of that operational environment to protect itself, to automate a response that makes sense,” Hawk said.
Trinity Cyber President Marie O’Neill “Neill” Sciarrone said addressing cybersecurity issues has changed little from her time at the Department of Commerce’s Critical Infrastructure Assurance Office in the early 2000s.
“We were coming out of Y2K and addressing the Code Red [virus], and you realize we’re talking about the same thing today we were talking about in 2000, and that’s sad. And that’s basically where we are,” Sciarrone said. She urged the sharing of more “actionable information.”
“You can share … IP addresses for someone to block, but you’re not giving the context of why or how the threat is evolving or how the threats to their IT systems are making their way to their [operation technology] systems,” she said, adding that it’s “absurd” to prepare for an unnamed adversary.
“When it comes down to it, we all need to admit adversaries have more motivation, more funding, more resources than any of us, and we need to bind together and be very transparent and open about what we’re seeing, how we’re acting, how we’re solving problems, and be as willing as they are to adopt modern technology and to be flexible and to move if we’re going to combat that. Otherwise, we’re fighting with both arms behind our back,” Microsoft’s Matt Rathburn said.
NERC CIP Standards
LaFleur asked whether the NERC CIP standards are sufficient or excessive.
“We hear the standards were just a baseline ― any self-respecting company has gone well beyond that. In other parts, we hear that we are way too restrictive and should be cut back …. [Edison Electric Institute] said we should have a moratorium on standards; there are too many,” she said.
Lincoln Electric System’s Paul Crist said utilities must balance compliance with emerging security threats. He said situations can arise where software vendors become compromised, but removing their software would lead to noncompliance. Crist admitted CIP standards “are probably a struggle for all” and said his company tries to balance the risk of violating compliance with having sufficient incident response capabilities. He noted that some vendors deliberately refuse to offer CIP compliance.
Rathburn said CIP guidance is not clear enough to issue any guarantees an entity will pass an audit.
“I have 78 certifications. CIP is not one of them,” he said.
Dragos’ Ben Miller said the industry’s understanding of threats is limited: “We have anecdotes. We don’t have large data sets. So I think it’s hard from a standards process … to chase the threat.”
After Hawk suggested asset owners may not be able to afford to cover the costs of sophisticated cybersecurity programs, La Fleur said she’s never spoken to a transmission owner who doesn’t have the opportunity to recover cyber security costs in rates.
Hawk said the issue of cost may emerge with research and development programs for new technologies.
“If a company is wanting to do something on their system, buy a new package to make it more secure, and they are not able to fund that, we would like to know about that,” LaFleur said. “There are so many things we can’t control, that are not within FERC’s authority. Utility rates are one of the things we actually do.”