FERC last week approved penalty settlements for violations of NERC standards by Mississippi Delta Energy Agency (MDEA) and the Western Area Power Administration’s Rocky Mountain Region, along with an unnamed utility in the Eastern Interconnection. The violations carry penalties of $70,000 and $225,000 for MDEA and the unnamed entity, respectively.

WAPA’s Rocky Mountain region — which manages a control area in Loveland, Colo., known as Western Area Power Administration, Colorado Missouri (WACM) — is not subject to monetary penalties because of a D.C. Circuit Court of Appeals ruling that FERC and NERC cannot impose such penalties against federal entities.

NERC submitted the settlements to the commission March 31, filing separate Notices of Penalty for MDEA and WACM and a spreadsheet NOP for the other utility noting that its settlement with ReliabilityFirst covered 16 violations. In a notice on Thursday, FERC said it would not review the penalties, leaving them intact.

CIP Update Falters for Unnamed Entity

ReliabilityFirst’s settlement with the registered entity — which was not identified in the spreadsheet NOP under NERC’s policies regarding security risks to critical electric infrastructure — relates to violations of critical infrastructure protection (CIP) standards. ReliabilityFirst said the deal “arises out of the entity’s efforts to improve and advance its approach to CIP compliance after identifying several issues related to its transition to CIP Version 5.”

The spreadsheet NOP identified one violation each of CIP-002-5 (categorizing bulk electric system cyber systems and associated assets commensurate with the adverse impact of their loss, compromise or misuse); CIP-004-3a (training requirements for personnel having authorized cyber or authorized unescorted physical access to critical cyber asset); and CIP-007-3a (securing systems determined to be critical cyber assets and non-critical cyber assets within the electronic security perimeter); three for CIP-010-2 (preventing and detecting unauthorized changes to BES cyber systems by specifying configuration change management and vulnerability assessment requirements); and 10 violations of CIP-007-6 (managing system security by specifying select technical, operational and procedural requirements in support of protecting BES cyber systems against compromise).

According to ReliabilityFirst’s analysis, the issues arose when the utility sought to update its systems to address problems identified in a previous settlement with the regional entity; the utility believed that it could fix these deficiencies by adopting new tools to automate multiple tasks.

However, the utility was “not adequately prepared to deploy these new tools and processes effectively,” ReliabilityFirst said, and, as a result, the entity failed to properly configure assets and tools prior to deployment, ensure that staff members were appropriately trained to manage them, or ensure that processes were in place to support their implementation and operation. This failure led to a number of violations that the entity self-reported in 2017-2019.

In its settlement, ReliabilityFirst cited the utility’s internal compliance program as a mitigating factor in the penalty determination, observing that more than 90% of the entity’s noncompliance since 2012 has been self-reported, and that the average amount of time between the beginning of a noncompliance and the entity reporting it has decreased significantly over the same period. The RE also said that the entity has made improvements in recent years that “have positively impacted the compliance culture in the CIP program,” such as organizational changes and hiring new personnel to address critical skill deficiencies.

On the other hand, the RE cited previous violations involving the utility (redacted from the public filing) to justify aggravating the monetary penalty with regard to two of the CIP-007-6 violations. ReliabilityFirst argued that the entity had failed to fully mitigate the prior violation, which justified a stiffer punishment.

Tree Violation Snags MDEA

MDEA’s $70,000 settlement with SERC Reliability arose from the violation of reliability standard FAC-003-4, governing the management of vegetation located on transmission rights of way, on its 230-kV Moon Lake line, a 23-mile facility connecting Entergy’s Moon Lake substation to the city of Clarksdale, Miss.

The utility discovered during an inspection in September 2017 that a willow tree had grown within the Moon Lake line’s minimum vegetation clearance distance, calculated by MDEA to begin 4 feet above the ground.

The tree’s growth had gone undetected because, while MDEA required monthly inspections of the line, the utility’s regulations permitted these inspections to be skipped as long as personnel noted the omission in their monthly logs and the line was inspected at least once every calendar year, with no more than 18 months between each inspection.

In the case of the line segment where the willow tree grew, inspectors had not visited it since Dec. 2, 2016. Based on average willow tree growth rates, MDEA estimated that the tree reached an unacceptable height on Feb. 15, 2017; as a result, the violation was determined to have begun on that date and ended with the tree’s removal on Oct. 6, 2017.

SERC determined that MDEA’s transmission vegetation management plan (TVMP), while technically compliant with NERC standards, was not sufficient to ensure that trees would not interfere with transmission lines. Specifically, the RE said the utility’s procedure, which allowed up to 18 months to pass between inspections, failed to account for fast-growing trees that could encroach on equipment within that time frame.

According to SERC, the violation “posed a serious and substantial risk” to bulk power system reliability, not just because of the danger of a contact of flashover event from the tree but also the deficiencies the incident revealed in MDEA’s vegetation policies. On the other hand, the RE noted that MDEA had promptly removed the offending tree after discovering it. It also cleared the additional vegetation that had prevented personnel from accessing the area in the first place, hence making future inspections easier.

In addition, the utility had self-reported the violation to SPP (its RE at the time) in December 2017 and has updated its TVMP to require the line be fully inspected every six months. MDEA also updated its training procedures to ensure that personnel responsible for implementing the TVMP are aware of these changes.

WECC Discovers Widespread Misratings

The settlement agreement between the Western Electricity Coordinating Council and WACM resulted from a violation of FAC-009-1, the reliability standard that previously governed methodologies for determining facility ratings (now replaced by FAC-008-3). Unlike the other settlements submitted by NERC, this violation was discovered by WECC during a compliance audit rather than via self-report. Although WACM did inform WECC in August 2018 that it had found evidence of a possible violation when it was preparing for the audit, the full extent of the problem was found by the RE itself.

In reviewing information from a sample of 10 transmission facilities, WECC determined that five of them showed discrepancies between the documented and actual facility ratings. Based on this information, the RE ordered a further investigation that revealed that of WACM’s 258 transmission facilities covered by the standard, 78 have actual facility ratings below those documented, while 180 are above or equal to documented ratings. Of 35 transformers applicable to the standard, 10 are below the documented ratings and 25 are at or above them.

WECC described the violation as a “serious and substantial risk to the reliability of the BPS” that could have led to equipment operating above appropriate ratings, possibly resulting in overloads and outages. The issue was also exceptionally longstanding, having begun when WACM was recognized by WECC as a transmission owner in 2007. The RE determined that the original violation was a result of the utility populating its initial FAC-009 documentation with historical ratings rather than properly verifying this information.

“The ratings process was inconsistently documented, as well as stored in multiple locations,” the NOP said. “In addition, a contributing cause was the lack of internal controls to ensure how the facility ratings had been documented was accurate and complete. … WACM not only established inaccurate facility ratings when FAC-009-1 R1 became enforceable, but carried forward those historical inaccurate ratings.”

WACM’s remediation and mitigation strategy requires it to review and verify equipment ratings for all elements in a facility rating, evaluate corrective action plans for all facilities with incorrect facility ratings and provide WECC with bimonthly project status reports. WECC acknowledged this action while noting that it has not been completed yet; the project has a proposed completion date of Dec. 15.