Commission Chairman Neil Chatterjee held a press conference on March 19 to discuss FERC’s work during the current pandemic, provide updates regarding the coronavirus (COVID-19), and respond to questions from the media. According to today’s announcements, FERC plans to keep operating as usual but will provide extensive flexibility to the regulated industry in addressing the effects of the pandemic on FERC-jurisdictional activities.
FERC and NERC issued a joint notice on Wednesday providing compliance flexibility on certain key reliability standard requirements during the ongoing coronavirus (COVID-19) pandemic. Although this guidance can allow utilities to avoid findings of noncompliance for certain requirements where timely compliance activities could be difficult due to personnel shortages and other limitations, this is not a blanket waiver. Instead, utilities must provide written notices of their intent to use this guidance. The content of those notices must be drafted carefully as they will be necessary to demonstrate compliance in future reviews.
The new flexibility is as follows:
- Due to the limited availability of NERC-certified operators, if a utility cannot provide sufficient certified operators to comply with PER-003 due to COVID-19, the use of noncertified operators is permitted through the end of 2020. In order to take advantage of this flexibility, utilities will need to notify their Regional Entities and Reliability Coordinators (ISO-NE and NYISO). Training requirements, such as those in PER-005, continue to apply.
- Because of the resource limitations during this time period, periodic actions required by the reliability standards that must occur between March 1, 2020, and July 31, 2020, can be missed on a case-by-case basis if the activities cannot be performed due to COVID-19. To use this flexibility, utilities will need to notify their regional entities of the specific actions that will be missed. These periodic requirements exist in both the Operating & Planning standards (such as protection system maintenance and testing) and the Critical Infrastructure Protection standards (such as patching and vulnerability assessments).
Following the increased spread of COVID-19 within the United States, the North American Electric Reliability Corporation (NERC) issued a Level 2 Alert on March 10 to all users, owners, and operators of the bulk-power system, outlining a series of recommendations and requiring certain responses from each entity about their plans for continued reliable operation under pandemic circumstances.
Although the Alert focuses on certain practical steps for maintaining electric reliability, it should also prompt electric utilities to consider the way in which that can ensure that the tasks necessary for compliance with mandatory reliability standards can continue to be performed if large percentages of a utility’s workforce cannot be physically in control centers, generation control rooms, or field locations. Thinking through and planning for the compliance program implications of the COVID-19 pandemic in advance of significant outbreaks can assist utilities in maintaining compliance under these circumstances.
Recommended Steps: Maintaining Electric Reliability
The NERC Alert notes that the spread of the virus is likely to increase in the near future, and to address those threats provides six recommendations:
- Utilities should maintain situational awareness of the spread of COVID-19 and follow Centers for Disease Control and Prevention (CDC) advisories in determining whether travel and attendance at events and conferences is appropriate.
- Personnel working at utilities should follow good hygiene practices and implement social distancing. As part of these efforts, utilities should enhance their cleaning practices, with a focus on those areas where utility personnel may be enclosed for extended periods of time, such as control rooms, conference rooms, and vehicles. The Alert also notes that utilities should consider reducing access to their facilities by visitors, and segregating work crew who are on different schedules.
- Business continuity plans should be reviewed to address and prepare for disruptions such as significant staffing constraints and loss of contractor personnel. Notably, the Alert encourages utilities to establish thresholds for implementing remote work and similar workplace flexibility arrangements.
- Utilities should assess their ability to demonstrate resilience in the event they cannot receive ready resupply from supply chains that are often global in nature, particularly where procurement strategies rely in part on “just-in-time” logistics systems. The Alert recommends a review of current inventories, including what is likely to be available from suppliers.
- Utilities should consider whether their planned maintenance and construction activities should go forward on the same schedule, or whether certain projects should be prioritized in light of the ability to schedule outages, reduce the consumption of inventory, and work through workforce limitations.
- Utilities should be aware of a number of cyber-risks related to COVID-19, including the heightened risk that phishing and similar social engineering attacks could take advantage of the heightened anxiety surrounding the pandemic and the need to maintain cyber asset availability in the event of staffing disruption and widespread remote work needs.
The Alert requires utilities to respond to several questions, with responses due on March 20, 2020. The questions ask whether the utility
- has a pandemic response plan;
- has reviewed staffing requirements and resources in preparation for a pandemic emergency from COVID-19;
- would be able to provide mutual aid to other companies if the company’s region is not affected;
- has reviewed supply chains and services for potential disruptions; and
- anticipates other risks to reliability and security from the event.
Compliance Planning Implications
Although the Alert does not directly address compliance planning under pandemic conditions, utilities subject to NERC reliability standards should consider the steps they may need to take to achieve continued compliance in circumstances where personnel shortages may be acute, remote working arrangements may be required, and resupply of key inventory could be difficult to achieve.
Although each utility’s circumstances differ, considering the following issues may be helpful in ensuring compliance during this difficult period and avoiding the expense and time required to resolve instances of noncompliance.
- Stress-Test Your Remote Working. Consider the ability of company networks to handle nearly all of the utility’s personnel working remotely, including through stress-testing remote work capabilities. If there are limitations, consider providing prioritized access to personnel whose access is necessary for achieving compliance, such as personnel responsible for reviewing access logs, trouble-shooting operator and energy management system issues, installing patches, and configuration management.
- Assess the Ability to Supply Sufficient Personnel. Evaluate the ability of the utility’s supply chain to supply needed parts and personnel. For example, if protection system maintenance activities require the replacement of certain parts, consider whether an adequate supply exists without significant resupply. Similarly, if vegetation management requires significant personnel, including contractor personnel, consider how those tasks can be completed within the time frame with a smaller workforce.
- Analyze Changes to Tasks at Remote Sites. For tasks that require significant travel to remote locations, such as patching systems without interactive remote access, consider whether the workforce would be able to support those time-intensive tasks and, if not, consider whether alternatives are available (e.g., the use of patch mitigation plans) or if tasks could be pushed up or pushed out while staying within the necessary time frame.
- Protect Key Teams. Consider methods to separate and protect teams such as restoration teams, construction teams, control center shifts, and the like that are necessary to maintain day-to-day operations for the reliability coordinator, transmission operator, balancing authority, and generator operator functions.
- Determine Minimum Staffing Levels. Consider identifying the minimum staffing level at which certain operational assets can continue to operate safely and in compliance, and below which that asset would be taken offline.
- Expand the Pool of Qualified Personnel. Consider expanding the pool of personnel who have received personnel risk assessments and background trainings for working with assets subject to critical infrastructure protection reliability standards.
- Communicate with Audit Teams. If your utility has an in-person audit or spot check scheduled in the near future, consider outreach to the audit or spot-check team lead to discuss moving to remote reviews that avoid large in-person meetings and travel. For example, audit interviews could be conducted by phone, with evidence presented electronically.
Note that although the NERC Sanction Guidelines would allow NERC and the Regional Entities to considering the extenuating circumstances of a pandemic in assessing a penalty—or foregoing a financial penalty entirely—NERC cannot waive noncompliance, and in many cases the true cost of resolving noncompliance is the reporting, enforcement resolution, and mitigation expense.
As your utility continues its preparation for COVID-19, consider reviewing the additional federal and NERC guidance linked below:
- NERC’s Influenza Pandemic Planning, Preparation, and Response Reference Guide
- Joint NERC-DOE High-Impact, Low-Frequency Event Risk to the North American Bulk Power System
- DHS’s Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources
If you have any questions about reliability compliance or other utility operational or commercial issues under pandemic circumstances, please reach out to any of the authors of this post.
At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.
New Strategic Focus Areas
Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.
- Supply Chain/Insider Threat/Third-Party Authorized Access
This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.
Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.
FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.
As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.
The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.
FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.
The North American Electric Reliability Corporation (NERC) petitioned the Federal Energy Regulatory Commission (FERC) on March 7 to approve a revised reliability standard for electric utilities aimed at enhancing existing cybersecurity incident reporting. The proposed CIP-008-6 reliability standard would expand the scope of the type of assets subject to incident reporting and the categories of incidents affecting those systems that must be reported. If FERC approves the standard as proposed, compliance will require more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents affecting electric utilities.
The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”