June 26, 2017
By Michael Brooks
WASHINGTON — A decade of mandatory standards has improved the grid’s reliability, but it’s time for regulators to prune unnecessary rules, speakers told FERC on Thursday.
At its annual technical conference on reliability, the commission delved into the weeds on compliance enforcement, gas-electric coordination and cybersecurity (AD17-8).
NERC received accolades from many who spoke at the conference for its continual improvement of the grid’s reliability; its transparency and coordination with other stakeholders; and its Reliability Assurance Initiative, a risk-based approach to compliance enforcement approved in 2015 that allows facilities to self-log minor violations — and NERC to focus on the most serious issues. The initiative also included the creation of Inherent Risk Assessment (IRA) profiles for facilities, which help NERC decide what standards to focus on.
FERC’s conference came days after the 10th anniversary of the first mandatory reliability standards under FERC Order 693 and a week after NERC released its State of Reliability report, from which CEO Gerry Cauley recounted some key statistics in his opening remarks. (See NERC: Despite Solid 2016, Grid Threats Remain.)
“Bulk Power System reliability remains very high and continues to show year-over-year improvement,” Cauley said. “Industry has been very responsive to our risk-based approach and has been shifting resources to fix the most critical challenges to reliability. … These standards have had a major impact on reducing risk. Over time, we’ve seen a dramatic decline in the number and severity of compliance violations.”
But Cauley and many other panelists said it was time for another “Paragraph 81” process, referring to a provision in the commission’s March 2012 approval of NERC’s Find, Fix, Track and Report process that directed the organization to identify requirements that do little to protect reliability and could be removed. FERC ended up approving the retirement of 34 such requirements (RC11-6, et al.).
“It may be time to focus again on streamlining the requirements to ensure the investment in compliance is commensurate with the reliability gains,” Cauley said.
Speaking on behalf of the Large Public Power Council, Steven Wright, general manager of the Chelan Public Utility District in Washington state, wanted to go a step further. The risk-based approach hasn’t reduced Chelan’s documentation requirements: Of the 1,236 requirements and sub-requirements applicable to the utility, only four qualify for self-logging, Wright said.
He suggested that entities be granted waivers from certain standards if the IRA indicates their implementation of them doesn’t affect the grid.
Cauley disagreed with that idea, calling it an “optional menu.” NERC’s Regional Entities “legally have the discretion today to monitor and enforce whichever standards we feel suit an individual entity. And that’s really the purpose of the Inherent Risk Assessment. … I think the regions could do a better job of explaining that and explaining what could be looked at.
“But I don’t think it makes sense to take a North American set of standards and create sort of a little checklist matrix for each entity. The standards are the standards.”
Wright also suggested that there be more incentives for entities’ standard compliance, which Commissioner Colette Honorable pushed back on.
“I have a 16-year-old daughter, and she gets good grades. But I think she could get better grades,” she said. “So do I reward her for … getting the grades she should be getting anyway?”
Wright did not directly respond to the question of carrot vs. stick, but he made clear he felt LPPC’s members haven’t gotten enough “bang for our buck.”
“We are spending a lot of money” on IRAs and Internal Controls Evaluation, another RAI component, he said. “And I think it’s a good thing because we’re improving reliability, but if we can find efficiencies we should get them.”
‘Special Assessment’ on Gas Dependence
Acting FERC Chair Cheryl LaFleur asked what the commission or NERC should be doing to account for the increasing reliance on natural gas pipelines for baseload power. She pointed out that FERC has no jurisdiction over the reliability of natural gas pipelines (which belongs to the Transportation Department’s Pipeline and Hazardous Materials Safety Administration), but it does have jurisdiction over those who burn the gas.
“Should we be changing our planning standards in some way to take that potential loss of the pipeline into account or the gas storage” site? she asked. “Aliso Canyon brings that into the front of the discussion.”
Cauley responded that NERC is working on a special assessment report on the issue. The organization has been analyzing key pipelines and storage facilities and the potential impact of losing them on the grid.
“It will be clear from this report, I believe, that you should be planning for the loss of a most critical, most impactful facility, including if it’s on a gas system,” he said. “I am concerned that you have certain reliability standards and expectations on an electric system and what I consider a foundational piece — the fuel deliverability piece — doesn’t have an equivalent.”
Patricia Hoffman, acting assistant secretary of the Energy Department’s Office of Electric Delivery and Energy Reliability, suggested that grid operators do assessments to determine how dependent regions are on one fuel source.
The threat of cyberattacks took up a sizeable portion of the daylong conference.
NERC Chief Security Officer Marcus Sachs revealed that the organization had only learned about the most serious threat to date — malware known as CrashOverride — days before it was made public by two cybersecurity firms earlier this month. The program, which can control circuit breakers via supervisory control and data acquisition (SCADA) systems, was used last December to briefly cut power to about one-fifth of Kiev, Ukraine. (See Experts ID New Cyber Threat to SCADA Systems.)
Sachs recounted that NERC learned of CrashOverride on the afternoon of Friday, June 9. ESET, a Slovakian antivirus software provider, had contacted Maryland-based Dragos, asking it to review its findings before it publicized them on Monday. Dragos then contacted NERC, which worked over the weekend reviewing ESET’s work and producing a report. Dragos also produced its own report over the weekend.
“If we didn’t have those public-private partnerships already existing, we would have failed that weekend, and you would have had a huge media splash on Monday morning that none of us would have been ready for,” Sachs said.
Many experts believe hackers based in Russia are behind the attacks on Ukraine, which Sachs said has been under “relentless assault” for the past couple years: Banking, railroads and Internet service providers have all experienced disruptions.
But while everything points to Russia, it is also possible individuals posing as Russians are behind the attacks, Sachs said.
Speaking to RTO Insider, Sachs pointed to the Solar Sunrise incident in 1998, in which two teenagers from California attacked Defense Department systems and led the military to believe they were from Iraq. “Just because it looks like a duck, smells like a duck, quacks like a duck — it may be a moose,” he said.
There was considerable discussion about understaffing at the entities responsible for protecting against cyber threats. Many agreed that the supply of qualified cybersecurity workers is too small to meet the very high demand.
“At the state level, we’re generally not staffed for this type of thing,” New Hampshire Public Utilities Commissioner Robert Scott said. “We don’t have the expertise.”
“The electric utility, 30 years ago, was the place to go to out of college,” said Greg Ford, CEO of Georgia System Operations, a cooperative that provides power to half the households in the state. “Today it’s harder and harder to lure those college students.”
“It’s easier to find individuals who are familiar with cybersecurity when it comes to traditional [information technology] and Windows-based infrastructure,” said David Ball, director of AEP Transmission Dispatching. “The more difficult skill set to find today is … a power-based background” and familiarity with SCADA.
“People with these type of skills are very marketable and they’re very mobile,” Scott agreed. “At the state level, we can’t hope to attract those type of people.”
Sachs pointed out, however, that middle and high schools are increasingly sponsoring competitive cybersecurity exercises and students are competing in “hack-a-thons.”
“This is good news,” he said. “And it’s something we need to leverage. … Getting into cybersecurity is absolutely what we want these young kids to do.”
“All I can say to that is ‘Amen,’” Honorable replied.