At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation. In addition, FERC is seeking comment on the potential risk of a coordinated cyberattack on geographically distributed targets.
President Donald Trump signed an executive order on May 1 declaring that the use of bulk-power system equipment supplied by companies controlled by certain foreign nations poses an extraordinary threat to the US power grid. The order observes that the bulk-power system is a valuable target for malicious actors, and any attack on that system could pose serious risks to the economy, public health and safety, and national security.
In light of those risks, the executive order declares a national emergency with respect to the power grid and moves to ban the unrestricted import or use of bulk-power system electric equipment from foreign adversaries. Although the order calls for coordination among multiple executive branch heads, including the Director of National Intelligence and the Secretary of Homeland Security, it primarily tasks the Secretary of Energy with fulfilling the President’s directives.
In an order issued on April 17, the Federal Energy Regulatory Commission (FERC) agreed to defer implementation of certain cybersecurity and operational reliability standards administered by the North American Electric Reliability Corporation (NERC) that had important compliance milestones later this year, including the suite of supply chain risk management standards that have been under development for several years and were set to take effect on July 1. The move by FERC is intended to provide some measure of relief from impending compliance burdens and to allow electric utilities to focus their resources on responding to the coronavirus (COVID-19) pandemic.
FERC and NERC issued a joint notice on Wednesday providing compliance flexibility on certain key reliability standard requirements during the ongoing coronavirus (COVID-19) pandemic. Although this guidance can allow utilities to avoid findings of noncompliance for certain requirements where timely compliance activities could be difficult due to personnel shortages and other limitations, this is not a blanket waiver. Instead, utilities must provide written notices of their intent to use this guidance. The content of those notices must be drafted carefully as they will be necessary to demonstrate compliance in future reviews.
The new flexibility is as follows:
- Due to the limited availability of NERC-certified operators, if a utility cannot provide sufficient certified operators to comply with PER-003 due to COVID-19, the use of noncertified operators is permitted through the end of 2020. In order to take advantage of this flexibility, utilities will need to notify their Regional Entities and Reliability Coordinators (ISO-NE and NYISO). Training requirements, such as those in PER-005, continue to apply.
- Because of the resource limitations during this time period, periodic actions required by the reliability standards that must occur between March 1, 2020, and July 31, 2020, can be missed on a case-by-case basis if the activities cannot be performed due to COVID-19. To use this flexibility, utilities will need to notify their regional entities of the specific actions that will be missed. These periodic requirements exist in both the Operating & Planning standards (such as protection system maintenance and testing) and the Critical Infrastructure Protection standards (such as patching and vulnerability assessments).
Following the increased spread of COVID-19 within the United States, the North American Electric Reliability Corporation (NERC) issued a Level 2 Alert on March 10 to all users, owners, and operators of the bulk-power system, outlining a series of recommendations and requiring certain responses from each entity about their plans for continued reliable operation under pandemic circumstances.
Although the Alert focuses on certain practical steps for maintaining electric reliability, it should also prompt electric utilities to consider the way in which that can ensure that the tasks necessary for compliance with mandatory reliability standards can continue to be performed if large percentages of a utility’s workforce cannot be physically in control centers, generation control rooms, or field locations. Thinking through and planning for the compliance program implications of the COVID-19 pandemic in advance of significant outbreaks can assist utilities in maintaining compliance under these circumstances.
Recommended Steps: Maintaining Electric Reliability
The NERC Alert notes that the spread of the virus is likely to increase in the near future, and to address those threats provides six recommendations:
- Utilities should maintain situational awareness of the spread of COVID-19 and follow Centers for Disease Control and Prevention (CDC) advisories in determining whether travel and attendance at events and conferences is appropriate.
- Personnel working at utilities should follow good hygiene practices and implement social distancing. As part of these efforts, utilities should enhance their cleaning practices, with a focus on those areas where utility personnel may be enclosed for extended periods of time, such as control rooms, conference rooms, and vehicles. The Alert also notes that utilities should consider reducing access to their facilities by visitors, and segregating work crew who are on different schedules.
- Business continuity plans should be reviewed to address and prepare for disruptions such as significant staffing constraints and loss of contractor personnel. Notably, the Alert encourages utilities to establish thresholds for implementing remote work and similar workplace flexibility arrangements.
- Utilities should assess their ability to demonstrate resilience in the event they cannot receive ready resupply from supply chains that are often global in nature, particularly where procurement strategies rely in part on “just-in-time” logistics systems. The Alert recommends a review of current inventories, including what is likely to be available from suppliers.
- Utilities should consider whether their planned maintenance and construction activities should go forward on the same schedule, or whether certain projects should be prioritized in light of the ability to schedule outages, reduce the consumption of inventory, and work through workforce limitations.
- Utilities should be aware of a number of cyber-risks related to COVID-19, including the heightened risk that phishing and similar social engineering attacks could take advantage of the heightened anxiety surrounding the pandemic and the need to maintain cyber asset availability in the event of staffing disruption and widespread remote work needs.
The Alert requires utilities to respond to several questions, with responses due on March 20, 2020. The questions ask whether the utility
- has a pandemic response plan;
- has reviewed staffing requirements and resources in preparation for a pandemic emergency from COVID-19;
- would be able to provide mutual aid to other companies if the company’s region is not affected;
- has reviewed supply chains and services for potential disruptions; and
- anticipates other risks to reliability and security from the event.
Compliance Planning Implications
Although the Alert does not directly address compliance planning under pandemic conditions, utilities subject to NERC reliability standards should consider the steps they may need to take to achieve continued compliance in circumstances where personnel shortages may be acute, remote working arrangements may be required, and resupply of key inventory could be difficult to achieve.
Although each utility’s circumstances differ, considering the following issues may be helpful in ensuring compliance during this difficult period and avoiding the expense and time required to resolve instances of noncompliance.
- Stress-Test Your Remote Working. Consider the ability of company networks to handle nearly all of the utility’s personnel working remotely, including through stress-testing remote work capabilities. If there are limitations, consider providing prioritized access to personnel whose access is necessary for achieving compliance, such as personnel responsible for reviewing access logs, trouble-shooting operator and energy management system issues, installing patches, and configuration management.
- Assess the Ability to Supply Sufficient Personnel. Evaluate the ability of the utility’s supply chain to supply needed parts and personnel. For example, if protection system maintenance activities require the replacement of certain parts, consider whether an adequate supply exists without significant resupply. Similarly, if vegetation management requires significant personnel, including contractor personnel, consider how those tasks can be completed within the time frame with a smaller workforce.
- Analyze Changes to Tasks at Remote Sites. For tasks that require significant travel to remote locations, such as patching systems without interactive remote access, consider whether the workforce would be able to support those time-intensive tasks and, if not, consider whether alternatives are available (e.g., the use of patch mitigation plans) or if tasks could be pushed up or pushed out while staying within the necessary time frame.
- Protect Key Teams. Consider methods to separate and protect teams such as restoration teams, construction teams, control center shifts, and the like that are necessary to maintain day-to-day operations for the reliability coordinator, transmission operator, balancing authority, and generator operator functions.
- Determine Minimum Staffing Levels. Consider identifying the minimum staffing level at which certain operational assets can continue to operate safely and in compliance, and below which that asset would be taken offline.
- Expand the Pool of Qualified Personnel. Consider expanding the pool of personnel who have received personnel risk assessments and background trainings for working with assets subject to critical infrastructure protection reliability standards.
- Communicate with Audit Teams. If your utility has an in-person audit or spot check scheduled in the near future, consider outreach to the audit or spot-check team lead to discuss moving to remote reviews that avoid large in-person meetings and travel. For example, audit interviews could be conducted by phone, with evidence presented electronically.
Note that although the NERC Sanction Guidelines would allow NERC and the Regional Entities to considering the extenuating circumstances of a pandemic in assessing a penalty—or foregoing a financial penalty entirely—NERC cannot waive noncompliance, and in many cases the true cost of resolving noncompliance is the reporting, enforcement resolution, and mitigation expense.
As your utility continues its preparation for COVID-19, consider reviewing the additional federal and NERC guidance linked below:
- NERC’s Influenza Pandemic Planning, Preparation, and Response Reference Guide
- Joint NERC-DOE High-Impact, Low-Frequency Event Risk to the North American Bulk Power System
- DHS’s Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources
If you have any questions about reliability compliance or other utility operational or commercial issues under pandemic circumstances, please reach out to any of the authors of this post.
A cyberattack on a single gas compression facility resulted in the shutdown of a natural gas pipeline for two days, according to a recent alert from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The Federal Energy Regulatory Commission (FERC) on December 19, 2019, directed PJM Interconnection to extend its minimum offer price rule (MOPR) from new natural gas–fired electric generators to also cover any generator that receives or is entitled to receive certain types of state subsidies. The rule aims at preserving competitive capacity auctions by preventing resources that receive subsidies from submitting bids that would otherwise be uneconomical—and therefore likely to “capture” a PJM capacity award based on a below-market capacity rate—if not for state support. The order means that existing or planned resources that expected to clear capacity markets with rates made economical by state subsidies will have to identify alternate strategies to generate revenue; so too will states seeking to promote the development or prevent the retirement of preferred but noncompetitive resources.
At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.
New Strategic Focus Areas
Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.
- Supply Chain/Insider Threat/Third-Party Authorized Access
This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.
In an effort to address anticipated electricity shortages and reliability challenges in California, the California Public Utilities Commission (CPUC) voted on November 7 to authorize the procurement of 3,300 MW of energy by 2023. The CPUC also intends to seek extensions of certain compliance deadlines from the State Water Resources Control Board for almost 4,800 MW of gas generation units due to retire soon because they use ocean water for so-called “once-through cooling,” which can have a detrimental impact on marine life.
For more details on the CPUC’s actions, read the full LawFlash.
FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.