FERC OKs NERC Violation Settlements
By Rich Heidorn Jr.
FERC last week accepted settlements with Duquesne Light Co. and an unnamed municipal utility in the Western Electricity Coordinating Council for violations of NERC reliability standards. The commission filed a notice Friday that it would not review the penalties, leaving NERC’s settlements intact (NP19-6).
NERC reported the settlements in a spreadsheet notice of penalty on March 28.
$40,000 Penalty for Duquesne Light
Duquesne agreed to a $40,000 penalty for inaccurate ratings of some substation conductors and a 138-kV circuit, violations of FAC-008-3 R6.
The substation inaccuracy — caused by entering an incorrect input value into one of the rating equations — resulted in a reduction of the overall facility rating for three transformers.
The violation extended for more than two years because Duquesne “lacked an effective verification control” to quickly detect and correct the error, NERC said. The company alerted regional entity ReliabilityFirst of the problem in a self-report in August 2017, after completing its mitigation plan.
NERC said the violation did not indicate a systemic issue with Duquesne’s FAC-008 program because only about 3% of the company’s bulk electric system (BES) transmission facilities were affected.
NERC determined the violation posed a moderate risk and could lead to equipment failure. “The risk is increased because of the long multiyear duration of the violation, but the risk is lessened (and not serious) because only one of the incorrect substation conductor ratings [was] the most limiting factor for these facilities,” NERC said. “The changes that did result in a facility ratings change did not impact the load dump ratings at any ambient temperature set but did impact the normal and emergency ratings.”
The second violation, involving the Clairton‐West Mifflin 138-kV circuit, was discovered during a compliance audit in December 2017. NERC said a section of overhead stranded conductor was not shown in Duquesne’s circuit map. After updating the map, Duquesne conducted a new analysis that resulted in reducing the summer 95 degrees Fahrenheit continuous rating from 932 amperes to 919 amperes.
The violation resulted in ratings reductions for three of Duquesne’s 85 BES transmission circuits (4%).
Although the incorrect ratings were in place for more than three years, NERC characterized the risk as minor “because the change in rating on the 138-kV circuit was minimal: just 13 amperes.”
NERC credited Duquesne for its cooperation in the investigation but said the company’s FAC-008/FAC-009 compliance history was an aggravating factor in determining the penalty.
Muni Lacked Familiarity with NERC Standards
FERC also chose not to review NERC’s settlement with an unnamed municipal utility over six violations of critical infrastructure protection (CIP) standards. NERC redacted some details of the violations and the utility’s name to protect critical energy/electric infrastructure information (CEII).
NERC’s filing said the utility:
Mischaracterized cyber systems at a substation as low-impact BES cyber systems (LIBCS) that should have been considered medium-impact BES cyber systems (MIBCS). An incorrect analysis found the systems connected to only two other substations when they were actually connected to four other transmission assets and had ties to two different entities, NERC said.
Failed to eliminate unneeded network accessible ports from an engineering workstation in a data center.
Failed to conduct an adequate security patch management program, including a requirement to check for new security patches every 35 days. NERC cited the entity’s “lack of knowledge and understanding of CIP standards.”
Gave five employees electronic or unescorted physical access to its MIBCS without having completed access request forms.
Failed to identify in its baseline configuration all of its network accessible ports and security patches applied to assets.
Failed to perform required change management activities for BES assets, electronic access control monitoring systems and physical access control systems.
Failed to provide evidence that it removed the ability of employees to access its systems within 24 hours of a termination.
NERC imposed no financial penalties for the violations and said none of them posed a “serious or substantial risk” to the reliability of the BES. The entity is a “very small municipal power company that employs few staff and has an extremely low turnover,” NERC said.