By Rich Heidorn Jr.
FERC on Thursday approved NERC as the Electric Reliability Organization for another five years while ordering the organization to audit its regional entities and improve its oversight of the Electricity Information Sharing and Analysis Center (E-ISAC).
It also ordered changes to NERC’s organization certification program and how it uses reliability and security guidelines and said it should provide more transparency about how it and the REs determine penalties (RR19-7).
NERC must submit a compliance filing in 90 days and updates to its Rules of Procedure in 180 days. NERC said Friday it was reviewing the order and had no immediate comment.
FERC said it found that “NERC continues to satisfy the statutory and regulatory criteria for certification as the ERO, and … that the regional entities continue to satisfy applicable statutory and regulatory criteria.”
The commission credited the ERO for shifting to a risk-based approach to focus on the most significant reliability issues and said it was responsive to suggested improvements from stakeholders.
FERC identified five areas for improvements: periodic RE audits; guidance documents; E-ISAC oversight transparency; sanction guidelines; and organization certification.
“The commission generally is satisfied with other features of NERC’s Rules of Procedure, including rules that provide fair and impartial procedures for enforcing reliability standards and rules that provide for broad participation, notice and opportunities for comment in developing reliability standards,” the commission said.
Regional Entity Audits
NERC’s Rules of Procedure and the regional delegation agreements it signed with the REs in 2007 require it to perform “comprehensive” audits of the REs’ compliance monitoring and enforcement programs (CMEPs) at least once every five years.
But after doing five limited audits through 2010, NERC failed to mention in its 2014 or 2019 performance assessment whether it had completed any audits. The commission noted that it rejected NERC’s attempt to eliminate the audit requirement in 2015.
An independent audit of NERC in 2016 concluded that it had failed to perform any comprehensive five-year audits of the REs’ CMEPs during 2013 to 2015, conducting only “limited oversight reviews.”
“We are concerned that, from 2011 through the end of 2018, NERC may not have performed comprehensive audits of the regional entities,” the commission said. It ordered NERC to produce any RE audits it has performed or provide a plan to perform them within the next 18 months and continue them going forward.
Efficacy of Guidance Documents
FERC also called for more transparency regarding the effectiveness of NERC’s reliability and security guidelines, noting that the organization developed more than 20 guidelines during the last assessment period, compared to only two during the prior five years.
“We are not aware of any formalized written process to steer the development and approval of guidelines or to provide feedback to the NERC standard development process on whether the guideline is effective,” FERC said. “Moreover, unlike the transparent standards development process, in at least some cases, guidelines are based on the input of a limited number of interested participants and NERC staff’s perspective is unknown. … NERC’s process and criteria for determining whether and when to develop mandatory reliability standards versus voluntary measures to comply with [Federal Power Act] Section 215, and how NERC uses information gained from the issuance of a guideline to improve or develop a new reliability standard, are unclear.”
The commission ordered NERC to explain its guidance development process and how it proposes to determine if guidance documents are addressing the risks and “how and at what interval NERC will evaluate whether components of the guidance document should be incorporated into the reliability standards.”
E-ISAC Oversight Transparency
FERC criticized the E-ISAC, saying that despite its growing share of NERC’s budget, its irregular public reports typically use “high-level information, such that the reports may be neither timely nor informative enough to assist the development of reliability standards.”
NERC created the E-ISAC in 1998 at the request of the Department of Energy to function as a means for voluntary information sharing. Its 2020 budget is 28% of NERC’s total spending — 37.5% including the Cyber Security Risk Information Sharing Program (CRISP), which allows real-time, computer-to-computer data exchange of potential security threats. CRISP is fully funded by participant fees.
FERC acknowledged that the E-ISAC’s Code of Conduct bars it from sharing information it receives with enforcement staff but said it does not appear to prohibit the sharing of information for the development of reliability standards. It ordered NERC to provide information on how the E-ISAC determines what data to share with NERC and how NERC uses the information.
The commission also called for NERC to clarify the E-ISAC’s relationship with the Electricity Subsector Coordinating Council’s (ESCC) Member Executive Committee (MEC) and how the MEC provides “strategic oversight and guidance” to the E-ISAC.
It said NERC must develop E-ISAC metrics for fiscal year 2020 and detail how it developed them and how they will help it oversee the E-ISAC.
“Recognizing the important role that the E-ISAC plays, it is imperative that NERC consider the perspectives of those stakeholders that rely on E-ISAC services to develop and track metrics to assess the performance of the E-ISAC,” FERC said. “Moreover, we believe that E-ISAC-specific metrics and goals used to assess the performance of the E-ISAC should be transparent and publicly available so that the stakeholders that rely on E-ISAC services can assess E-ISAC’s effectiveness and identify opportunities for improvement.”
Sanction Guidelines
The commission called for an update to NERC’s Sanction Guidelines to reflect its shift to a risk-focused enforcement strategy. It also directed the organization to provide more transparency regarding how it and the REs apply the base penalty, adjustment factors and non-monetary sanctions, including how they consider “the violator’s financial ability to pay the penalty” so that “no penalty is inconsequential to the violator to whom it is assessed.”
Organization Certification
FERC also called for improvements to the formal certification oversight program NERC introduced in 2018, saying “it is necessary to provide more specific guidance on the tools and skills needed to perform the registered function.”
The commission cited last year’s certifications of CAISO (RC West) and SPP as reliability coordinators to replace Peak Reliability as evidence of the need to include contingency plans in the program. “If either RC West or SPP had failed to meet certification requirements, there would be a period during which no entity is certified as the reliability coordinator responsible for performing critical reliability functions,” FERC said.
It also ordered NERC to establish minimum requirements for certification teams, including “necessary diversity in technical training and experience of team members specific to the function being certified.”
Performance Assessment
This is the third time FERC has reapproved NERC as the ERO in the 13 years since it was certified under the 2005 Energy Policy Act. FERC regulations required the ERO file an assessment of its performance three years after its initial certification in July 2006 and every five years thereafter.
In its performance assessment filed in July for June 1, 2014, to Dec. 31, 2018, NERC cited its development of reliability standards — it has completed more than 100 to date — and the refinement of its compliance and enforcement procedures.
NERC said that it made “continued progress” in reducing the ERO’s backlog of older violations and saw a drop in repeat moderate- and severe-risk violations in the last five years. After peaking in 2013 at 529, the number of moderate or severe violations dropped to 107 in 2018. Moderate or serious violations for entities with prior noncompliance with similar conduct dropped from a peak of 111 in 2016 to 22 in 2018.
The three-year rolling average of serious violations as a share of all violations (non-critical infrastructure protection and CIP versions 1-3) dropped from 4.9% for 2014-2016 to 3.3% for 2016-2018. Serious CIP violations dropped from 5.9% of all CIP violations in 2014-2016 to 3.9% for 2016-2018. NERC’s goal is to keep both measures below 5%.
NERC also cited a decrease in protection system misoperations and the expansion of its Generator Availability Data System (GADS) to include wind farms of 75 MW or more commissioned since 2005. It is planning to expand GADS further to include some solar projects.
During the assessment period, the ERO completed compliance monitoring arrangements with all Canadian provinces and increased its interaction with Mexico, signing a memorandum of understanding with Centro Nacional de Control de Energia (CENACE), the Mexican grid regulator.