Following the increased spread of COVID-19 within the United States, the North American Electric Reliability Corporation (NERC) issued a Level 2 Alert on March 10 to all users, owners, and operators of the bulk-power system, outlining a series of recommendations and requiring certain responses from each entity about their plans for continued reliable operation under pandemic circumstances.
Although the Alert focuses on certain practical steps for maintaining electric reliability, it should also prompt electric utilities to consider the way in which that can ensure that the tasks necessary for compliance with mandatory reliability standards can continue to be performed if large percentages of a utility’s workforce cannot be physically in control centers, generation control rooms, or field locations. Thinking through and planning for the compliance program implications of the COVID-19 pandemic in advance of significant outbreaks can assist utilities in maintaining compliance under these circumstances.
Recommended Steps: Maintaining Electric Reliability
The NERC Alert notes that the spread of the virus is likely to increase in the near future, and to address those threats provides six recommendations:
- Utilities should maintain situational awareness of the spread of COVID-19 and follow Centers for Disease Control and Prevention (CDC) advisories in determining whether travel and attendance at events and conferences is appropriate.
- Personnel working at utilities should follow good hygiene practices and implement social distancing. As part of these efforts, utilities should enhance their cleaning practices, with a focus on those areas where utility personnel may be enclosed for extended periods of time, such as control rooms, conference rooms, and vehicles. The Alert also notes that utilities should consider reducing access to their facilities by visitors, and segregating work crew who are on different schedules.
- Business continuity plans should be reviewed to address and prepare for disruptions such as significant staffing constraints and loss of contractor personnel. Notably, the Alert encourages utilities to establish thresholds for implementing remote work and similar workplace flexibility arrangements.
- Utilities should assess their ability to demonstrate resilience in the event they cannot receive ready resupply from supply chains that are often global in nature, particularly where procurement strategies rely in part on “just-in-time” logistics systems. The Alert recommends a review of current inventories, including what is likely to be available from suppliers.
- Utilities should consider whether their planned maintenance and construction activities should go forward on the same schedule, or whether certain projects should be prioritized in light of the ability to schedule outages, reduce the consumption of inventory, and work through workforce limitations.
- Utilities should be aware of a number of cyber-risks related to COVID-19, including the heightened risk that phishing and similar social engineering attacks could take advantage of the heightened anxiety surrounding the pandemic and the need to maintain cyber asset availability in the event of staffing disruption and widespread remote work needs.
The Alert requires utilities to respond to several questions, with responses due on March 20, 2020. The questions ask whether the utility
- has a pandemic response plan;
- has reviewed staffing requirements and resources in preparation for a pandemic emergency from COVID-19;
- would be able to provide mutual aid to other companies if the company’s region is not affected;
- has reviewed supply chains and services for potential disruptions; and
- anticipates other risks to reliability and security from the event.
Compliance Planning Implications
Although the Alert does not directly address compliance planning under pandemic conditions, utilities subject to NERC reliability standards should consider the steps they may need to take to achieve continued compliance in circumstances where personnel shortages may be acute, remote working arrangements may be required, and resupply of key inventory could be difficult to achieve.
Although each utility’s circumstances differ, considering the following issues may be helpful in ensuring compliance during this difficult period and avoiding the expense and time required to resolve instances of noncompliance.
- Stress-Test Your Remote Working. Consider the ability of company networks to handle nearly all of the utility’s personnel working remotely, including through stress-testing remote work capabilities. If there are limitations, consider providing prioritized access to personnel whose access is necessary for achieving compliance, such as personnel responsible for reviewing access logs, trouble-shooting operator and energy management system issues, installing patches, and configuration management.
- Assess the Ability to Supply Sufficient Personnel. Evaluate the ability of the utility’s supply chain to supply needed parts and personnel. For example, if protection system maintenance activities require the replacement of certain parts, consider whether an adequate supply exists without significant resupply. Similarly, if vegetation management requires significant personnel, including contractor personnel, consider how those tasks can be completed within the time frame with a smaller workforce.
- Analyze Changes to Tasks at Remote Sites. For tasks that require significant travel to remote locations, such as patching systems without interactive remote access, consider whether the workforce would be able to support those time-intensive tasks and, if not, consider whether alternatives are available (e.g., the use of patch mitigation plans) or if tasks could be pushed up or pushed out while staying within the necessary time frame.
- Protect Key Teams. Consider methods to separate and protect teams such as restoration teams, construction teams, control center shifts, and the like that are necessary to maintain day-to-day operations for the reliability coordinator, transmission operator, balancing authority, and generator operator functions.
- Determine Minimum Staffing Levels. Consider identifying the minimum staffing level at which certain operational assets can continue to operate safely and in compliance, and below which that asset would be taken offline.
- Expand the Pool of Qualified Personnel. Consider expanding the pool of personnel who have received personnel risk assessments and background trainings for working with assets subject to critical infrastructure protection reliability standards.
- Communicate with Audit Teams. If your utility has an in-person audit or spot check scheduled in the near future, consider outreach to the audit or spot-check team lead to discuss moving to remote reviews that avoid large in-person meetings and travel. For example, audit interviews could be conducted by phone, with evidence presented electronically.
Note that although the NERC Sanction Guidelines would allow NERC and the Regional Entities to considering the extenuating circumstances of a pandemic in assessing a penalty—or foregoing a financial penalty entirely—NERC cannot waive noncompliance, and in many cases the true cost of resolving noncompliance is the reporting, enforcement resolution, and mitigation expense.
As your utility continues its preparation for COVID-19, consider reviewing the additional federal and NERC guidance linked below:
- NERC’s Influenza Pandemic Planning, Preparation, and Response Reference Guide
- Joint NERC-DOE High-Impact, Low-Frequency Event Risk to the North American Bulk Power System
- DHS’s Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources
If you have any questions about reliability compliance or other utility operational or commercial issues under pandemic circumstances, please reach out to any of the authors of this post.