SERC Reliability has seen no “significant issues” among its registered entities related to the COVID-19 pandemic, senior critical infrastructure protection compliance specialist Rick Dodd told attendees of the regional entity’s Q2 Open Forum.
“It seems that the registered entities are doing a fabulous job. … Even with all the stay-at-home orders that are out there, work seems to be getting done, and we appreciate that greatly,” Dodd said.
According to Dodd, the RE has received 13 COVID-19 impact notice forms to date, in accordance with FERC and NERC’s decision in March to relax some compliance burdens on utilities because of the outbreak. (See FERC, NERC Relax Compliance in Light of COVID-19.) The functions affected include maintaining personnel certification, performance of required periodic actions, and on-site activities such as audits and certifications.
SERC is also working with NERC to address issues raised by its entities regarding further effects of the outbreak on their operations. While the RE answers region-specific issues on its own website — including SERC’s audit schedules and details about filling out the impact notice form — questions that have ERO-wide implications are being routed to NERC to be answered on its compliance monitoring and enforcement program page. The ERO had received 37 questions from all regions as of Thursday.
Success in Audits Takes Ongoing Commitment
Many registered entities can do more to prepare for audits from their REs, according to members of SERC’s assistance program that have worked with utilities on their internal compliance programs.
“Compliance should be a continual process for [you]; it should be woven into your daily work life fabric just like, say, safety is,” said Wayne Ahl, a senior reliability and security adviser at SERC. “So, don’t wait until the audit notification letter comes out to scramble all the jets; you should be [thinking] about evidence and compliance and security … so that you don’t have to start over each audit.”
Ahl identified several common elements of successful audit preparation plans, starting with “Entity 101,” a brief presentation for auditors incorporating essential data such as generating and transmission capacity, along with an outline of compliance procedures and personnel involved. Auditors find this kind of information very helpful, particularly when they have not encountered the entity before, he said.
When an entity receives an audit notification, it should set clear goals, define roles and responsibilities for relevant personnel, and lay out reasonable timelines with adequately spaced deadlines, Ahl noted. Personnel must be adequately trained to perform their tasks while also being empowered to work without overcrowding their schedules with unnecessary meetings, and they should know when to reach out for a new perspective.
“Once you complete the RSAWs [reliability standard audit worksheets], bounce them off someone else in your company … relevant or competent personnel that aren’t directly associated with [the audit]. Let them have a fresh look at it, and it often will help you [improve] your RSAWs and your evidence production,” Ahl said.
Vigilance Recommended for CIP Compliance
Violations of NERC reliability standard CIP-005-6, governing cybersecurity personnel and training, are an ongoing concern at SERC, according to Justin Kelly, senior CIP auditor at the RE.
Kelly’s presentation to the Forum focused on Requirement 5, which pertains to revocation of access to bulk electric system cyber systems. Many of the shortfalls regarding this requirement involved failures of third parties to notify registered entities of the termination of relevant personnel. “There were issues all over the board with this,” Kelly said. Causes of violations included:
- using an incorrect or out-of-date email address;
- sending emails on holiday weekends when they were likely to be overlooked;
- emails not being recognized as urgent; and
- mistakenly sending notifications to someone with a similar name to the intended recipient.
Kelly said that his team has seen utilities begin to set timely notification requirements for third parties and enforce them more rigorously. He warned that entities will need to maintain their activities in this regard. Because the roster of third parties working with a given entity is typically fluid, utilities must constantly ensure that their partners are aware of the latest requirements.