By Holden Mann

ST. PAUL, Minn. — Increasing incidents of extreme winter weather, along with threats to physical and cybersecurity, are the most pressing items identified in Midwest Reliability Organization’s draft Regional Risk Assessment, presented at the organization’s Annual Member and Board of Directors Meeting last week.

The report follows NERC’s 2019 ERO Reliability Risk Priorities Report, which analyzed the risks facing electric utilities on a national scale and grouped them into four major categories: grid transformation; extreme natural events, including both weather and geomagnetic disturbances (GMD); security risks; and critical infrastructure interdependencies. (See NERC Board of Trustees Briefs: Nov. 5, 2019.) MRO aimed to determine which areas had a higher or lower potential burden for operators in the region.

Resource Mix Heightens Weather Impact

Given MRO’s footprint, which extends from Oklahoma to as far north as Saskatchewan and Manitoba, it is not surprising that winter weather, along with GMD events, are a higher priority than for regions in warmer regions. However, officials said winter challenges have become more pronounced over the last 10 years, with extreme events such as the 2011 polar vortex straining grid capacity even in the southern areas of the region.

“Winter peak demand is approaching or exceeding summer peak during severe cold spells. For example, on [the] Jan. 17, 2018, [cold-weather] event in the southern portion of the Midwest, all five entities involved exceeded their winter forecast by about 5 to 13%,” said John Seidel, MRO’s principal technical adviser. “It’s pretty interesting what winter … can cause, mainly due to the electric heating that occurs during the severe cold.” The 2018 event led FERC and NERC in July to call for a winterization standard. (See Gen Operators Cool to Winter Preparedness Standard.)

MRO’s changing resource mix can also complicate the cold-weather issues, as conventional synchronous generation is replaced by renewable options such as wind, with output that is harder to predict. Seidel cited the gap between MISO’s predicted and actual wind energy production during the Jan. 30, 2019, cold-weather event as an example of this concern, adding that the problem was exacerbated when the extreme cold led turbines to hit their cutoff temperatures just as the need for their energy was most acute. (See Extreme Weather Tops NERC Winter Outlook.)

Evolving Threats, Lagging Response

Rapid change is also a hallmark of the technology landscape, and the need to determine how to integrate new technology tools while maintaining the reliability of the grid continues to be a source of headaches for security professionals.

Steen Fjalstad, security and mitigation principal at MRO, observed that 2019 saw no reported cyber or physical security incidents in the bulk power system that caused a loss of load, according to NERC’s Electricity Information Sharing and Analysis Center (E-ISAC). Along with this good news, however, there is also no shortage of reminders about the dangers that can arise from deploying new technology without adequate preparation.

“There have been recent breaches, not necessarily in our sector … due to cloud storage, and … identifying if we have the same risks and liabilities is very important,” Fjalstad said. “It’s kind of a gray area still in terms of components: A lot of the controls that might be in the cloud area [are] under contract, and the legalese … of what’s going into these contracts … is really a very valuable opportunity for us to delve further and reduce this risk.”

Risks highlighted in the cyber and physical security section of the report include a lack of adequately trained security staff and internal cultures focused on compliance rather than proactive threat detection. This feeds into other common problems such as incomplete asset inventory, with Fjalstad observing that “if you don’t know what you have to secure, then it is very hard to make sure that you’re mitigating all the risks.” Third-party equipment suppliers must also be considered a potential security backdoor, with vendors held to as high a standard as a utility’s own staff.

Unmanned aerial vehicles pose a unique challenge, as the intersection between physical and cybersecurity that is not well addressed by current law. (See Feds Late to Act on Drone Threat, DHS Official Says.) Utilities that believe drones are monitoring their facilities have no recourse to law enforcement unless their airspace is violated, and even then, tracking down the operator of the vehicle is easier said than done. Fjalstad said operators must find other ways to protect their assets from unwanted surveillance.

Infrastructure Intersections

While environmental and security concerns dominated the presentation, other topics were suggested for future monitoring. One example is the risk that the growth of electric vehicles and charging stations could exacerbate the weather and resource mix issues. Operators also identified copper theft and vandalism as ongoing dangers — not just to their own equipment, but also among the telecommunication companies on which they rely for remote monitoring.