By Rich Heidorn Jr.
WASHINGTON — FERC officials are engaged in a debate with ReliabilityFirst over the rigor of the modeling transmission owners should undertake to identify “critical” substations.
Matt Thomas, manager of critical infrastructure protection (CIP) compliance monitoring at ReliabilityFirst, told a Nov. 20 meeting of the RF Compliance Committee that FERC officials contend compliance with standard CIP-014 requires TOs to perform “dynamic” analyses in all cases, while RF believes they should be allowed discretion on when static load flow analyses are sufficient. Dynamic models can evaluate the grid’s performance under a variety of scenarios.
FERC approved the standard in response to the 2013 sniper attack on Pacific Gas and Electric’s Metcalf substation.
Requirement R1 of the standard requires TOs to identify substations “that if rendered inoperable or damaged could result in instability, uncontrolled separation or cascading within an interconnection.”
“The standard does not mandate a specific analysis, or specific analytical method for performing the risk assessment,” Thomas said. “[It has] given the transmission owner the discretion to choose the specific method that best suits its needs.”
“Our current approach follows what is also outlined in the standards guideline technical basis, that the transmission owner has the discretion to select the analysis method that best suits and fits the facts and system circumstances.”
“The various inputs for registered entities’ risk assessments will likely vary from entity to entity, from region to region, from ISO to ISO and … they’re all based on the topology, and the system characteristics, and the system configurations.”
“With FERC as the higher power here, does that basically require us to comply with that FERC viewpoint?” asked RF Board member Brenton Green.
“At this point, it is a collaborative conversation,” responded Thomas. “They’re trying to see our viewpoint and why we feel it is not required in all circumstances. And we’re also trying to learn from them why they feel it is required. Right now, it’s just a conversation.”
Thomas said RF is discussing the issue with FERC and NERC in hopes of “being aligned on a common approach across the ERO.”
NERC and officials of other regional entities did not respond to requests for comment Tuesday. FERC declined to comment.
“FERC’s assertion that dynamic studies [are required] is probably not a bad one,” said RF Board member Lou Oberski. “You get a different answer if you do a dynamic study than if you just do a simple power flow, load flow kind of [analysis where] you take a station out and see what happens,” he said.
But he said not all entities have the “horsepower” to perform such analyses. “It would be a big lift for the medium-sized entities.”
RF CEO Tim Gallagher said the RE is “supposed to apply engineering judgment.
“So, in cases where it is a large critical facility and we think based on system knowledge and engineering expertise a dynamic stability study is warranted, we’ll do it,” he said. “But to blindly require it for everyone in cases where we know from engineering experience it’s not a concern, that gets into an unnecessary burden and an extra cost. We understand the distinction. We don’t want people to think we’re not going to do our jobs just because it might inconvenience someone.”
Conflicts of Interest on Third-Party Inspections?
Thomas also told the committee increasing use of third parties to meet some of the standard’s requirements has raised questions of conflicts of interest.
Requirement R2 requires TOs have an “unaffiliated third party” verify their risk assessment was performed as required under R1. R6 requires a third-party signoff on the evaluation of sites’ vulnerability to physical attack under R4 and any security plans developed under R5.
“What we’ve seen a few times now is an entity using the same third party for both the activity and the verification,” Thomas said. “As an example, an entity used a third party for their R1 analysis to help them [because] they didn’t have the resources and would also use that same third party to verify their work.”
“It doesn’t quite make sense to have the same party doing the work, and it is something we are continuing to keep our eye on to ensure the risk is addressed,” he said, adding the standard doesn’t explicitly prohibit third parties from reviewing their own work. “The example is if … you had a general contractor build your house … could that general contractor also do the inspection on their work?”
Oberski said the standards drafting team had added the third-party verification requirement to make sure entities “didn’t leave something out” in their compliance measures.
Other Challenges
Auditing for CIP-014 compliance has been challenging, Thomas said, in part because of the sensitivity of location-specific information.
“We’re still learning what the appropriate level [of documentation] is,” he said. “We have to make sure we tell a story of what we reviewed and what we saw but we also can’t capture sensitive information.”
There also are logistical concerns: CIP-014 audits can require additional site visits to substations in addition to corporate offices where much of the audit takes place. He said a recent audit led by FERC spent a week onsite on CIP-014 only.
Gallagher said CIP-014 audits have had benefits along with the challenges. “It’s good in a way because it’s cross-functional — CIP, O&P [operations & planning] and RAPA [reliability assessment and performance analysis], so it’s good for our internal development … but it makes it really hard to schedule. It doesn’t really fit with a CIP audit itself.”
Gallagher said early CIP-003 spot checks were combined with the O&P and CIP-013 spot checks. “As … more of [the CIP standards] became effective, we decided to split those into two separate engagements, mostly logistically for the entities and for us, for the amount of [subject matter experts] that would be required. But with the idea of smaller focused engagements, we are looking at doing combined audits at the same time. We actually are piloting it in 2020 where it will be a combined CIP and O&P engagement.”
RF officials said the combined CIP/O&P engagements would be piloted only for larger entities when the audit scope is fairly narrow.