By Rich Heidorn Jr.
WASHINGTON — Panelists at FERC’s annual reliability technical conference Thursday praised the Electric Reliability Organization’s maturation but acknowledged continuing challenges with the speed of standards development and the consistency of compliance determinations.
SPP CEO Nick Brown said that while NERC has made progress since its “adolescently clumsy” stage, it still is too slow to respond to emerging threats and that its focus on enforcement is interfering with collaboration that he said would be more productive.
“The standards development process is continually outpaced by technology and the changing threat vectors. … We simply need to speed the process of modifying the standards,” he said.
Brown also complained of disagreements among NERC and the regional entities over what constitutes compliance on individual standards. “While I appreciate NERC and the regions’ efforts to harmonize their views of the standards and their interpretation of the standards, I will say after 12 years, this area remains elusive to say the least.”
He said the priority on enforcement is “slowing the maturation of the standards development process and the consistency in interpreting the standards.
“I would highly encourage NERC and the regions to take full advantage of the outreach and assurance assessment component of the [Compliance Monitoring and Enforcement Program]. That collaborative approach is far more beneficial than focusing on the enforcement aspect when it comes to compliance. Internal controls, in my view, are the best and most appropriate way to move us toward a more reliable bulk electric system.”
Brown said the ERO has been focused on enforcement “because of a few bad actors.” He said penalties should be reserved for companies whose boards and senior management are not focused on compliance.
“I believe the vast majority of this industry wants to do the right thing. And when they can understand the intent behind the standards and collaboratively agree on what compliance means, then we’re going to be better off.”
But Jennifer Sterling, Exelon’s vice president of NERC compliance and security, said the organization and its REs have made progress in their consistency and in moving away from a punishment-first point of view.
“We’ve been able to work with our regions to develop more of a collaborative approach to compliance with the [critical infrastructure protection] standards. Recent enhancements such as self-logging really show a lot of promise. The compliance exception process, which allows for us to basically self-identify issues [and] mitigate them quickly without a penalty threat, are very helpful and allow us to … be very open and honest with our issues.”
Commissioner Cheryl LaFleur asked panelists how FERC should handle Freedom of Information Act requests for the identities of CIP violators. The commission has been dealing with the requests on a case-by-case basis.
“We have to be careful that we’re not overprotecting information that might have more reputational harm than security harm,” LaFleur said. “There’s a legitimate interest in transparency.”
“It’s not a secret that the industry had its struggles in the early days of the CIP standards and that most utilities probably do have a settlement agreement on file with FERC,” said Sterling, speaking on behalf of the Edison Electric Institute, which she said favors FERC’s continued use of case-by-case determinations. “That said, we do have to … have a balance between transparency and protecting critical information that could be used by intelligent adversaries to sort of back-engineer their way into exploiting vulnerabilities. Some of the settlement agreements that were filed early on contain a lot of information about exactly how the issues were mitigated.”
Tim Gallagher, CEO of ReliabilityFirst, said that registered entities need time to go through a “recovery period” after mitigating violations.
Releasing the names too soon would expose an entity as “sort of like there’s a weakened animal in the herd, and that’s where all the lions are going to go,” he said. “A lot of the issues we run into are not technological but cultural, organizational. And those sometimes take longer to correct.”
Commissioner Richard Glick said he was concerned about a lack of deterrence. “To the extent that companies are penalized but we don’t name the names, they’re not sufficiently incented to not disregard the rules … the next time,” he said.
Glick asked NERC CEO Jim Robb if there was a way to release the names of companies without tying the disclosure to specific violations.
“I’m sure there’s a path through this,” Robb responded. He emphasized the difference between CIP violations and operations and planning (O&P) violations. “O&P violations are the result of random events that occur out on the system that may or not been well-protected against. … In the CIP area, we’re dealing with determined adversaries.
“We can’t fine a company enough relative to the risk that they have from a cyber event. And I think management and executives understand that,” he added. The root causes of most CIP violations, he said, are “embedded in management structure, approach [and] philosophy.”
Efficiency
Robb said the ERO has “harmonized” more than 70 processes in the CMEP.
Jack Cashin, director of policy analysis and reliability standards for the American Public Power Association, said the ERO should continue its focus on operational efficiency and effectiveness.
“This is not to suggest that NERC should simply concentrate on cost savings or cutting back processes and procedures. Greater efficiency should not come at the expense of reduced effectiveness,” he said, saying APPA supports the increased spending to support the expansion of the Electricity Information Sharing and Analysis Center. “Opportunities for robust stakeholder input and debate might be regarded in some sense as inefficient. But the end results of such subject matter experts’ stakeholders-informed processes are likely to be more effective than decisions made without adequate stakeholder input.”
Fuel Supply
Robb and NERC Chief Reliability Officer Mark Lauby called for changes in how planners evaluate the importance of fuel supplies to resource adequacy, with a decreased reliance on capacity reserve margins.
“You can have infinite capacity without fuel,” Lauby said. Future plans, he said, should focus on ensuring operators have sufficient energy, demand response and storage to “change the paradigm so we’re not thinking about the one event in 10 years from a forced outage calculation based on capacity, and start looking more and more at the energy.”
Robb called for changes to the natural gas industry. “One of the other paradigms that we need to get beyond is [that] the gas industry tends to always think of itself on a volumetric basis: Do I have enough [British thermal units] to serve the needs of my customers? … I think what we learned coming out of California — with the duck curve, with the expansion of solar, the very rapid ramp rates that we’re seeing — the gas industry needs to start thinking about itself much the way the power industry does in terms of peak versus average. Because you can have all the BTUs you want, but if there’s not enough pressure in the system to meet the ramp rate and demands that power plants have, it’s not particularly helpful.”
SPP’s Brown said the fuel supply chain should be considered part of the BES for contingency analyses. “I’ll also say that we believe capacity obligations need to move under NERC’s purview rather than continue to be under the purview of individual regions,” he said.
Peter C. Balash, a senior economist for the Department of Energy’s National Energy Technology Laboratory, said the electric system “has been in great turmoil for the last decade” because of regulatory pressure, plentiful gas supplies and state-level policy interventions.
He said about 80% of weather events “could probably be ameliorated with three days of natural gas” stored on site, which he said would increase gas generators’ capital costs by about 15%.