December 24, 2024
Cybersecurity, Modeling Top NERC’s 2021 Risk List
Cyber hygiene and poor-quality modeling continue to head the list of major risks to the stability of the bulk power system.

Cyber hygiene and poor-quality modeling continue to head the list of major risks to the stability of the bulk power system, according to NERC’s 2021 ERO Enterprise Compliance Monitoring and Enforcement Program (CMEP) Implementation Plan.

NERC prepares the list of risk elements annually to help regional entities and utilities plan for the year ahead. Risk elements are identified according to the ERO Enterprise Guide for Compliance Monitoring through compliance filings, event analysis and data analysis. The organization also solicits input from ERO Enterprise staff and committees, such as NERC’s Reliability Issues Steering Committee (RISC), and reviews the State of Reliability report as well as other publications.

This year’s report identifies the following risk elements for the coming year:

  • remote connectivity and supply chain;
  • poor quality models impacting planning and operations;
  • loss of major transmission equipment with extended lead times;
  • inadequate real-time analysis during tool and data outages;
  • determination and prevention of misoperations; and
  • gaps in program execution.

While the COVID-19 pandemic did not gain its own spot on the list, drafters incorporated its impacts into several of the risk elements. Although NERC and other organizations had prepared contingency plans for a pandemic, the arrival of an actual crisis exposed some mistaken assumptions. (See Pandemic Poses Long-term Reliability Challenges.)

“Pandemic risk differs from many of the other threats facing the BPS because it is a ‘people event,’” the report says. “The fundamental risk is the loss of staff critical to operating and maintaining the BPS such that firm loads could no longer be served reliably and securely. Regions may consider reviewing requirements related to personnel training in order to address this risk.”

Remote Work Raises Cyber Risks

The coronavirus impacts are particularly visible in the entry for remote connectivity and supply chain, which highlights entities’ shortfalls in addressing cybersecurity. Cyber hygiene became an unexpectedly pressing issue this year when many entities transitioned to a remote work posture, greatly expanding the “attack surface” for malicious actors who may try to exploit employees distracted from best practices by family or personal challenges. (See PPE, Testing Top Coronavirus Concerns for NERC.)

“Regardless of the sophistication of a security system, there is potential for human error,” the report notes. “If security has increased the difficulty in performing personnel’s normal tasks, personnel may look for ways to circumvent the security to make it easier to perform their job.”

Notable cybersecurity issues unconnected to the pandemic include supply chain risk, which continues “to be a focal point of the federal government” with actions this year including President Trump’s emergency declaration in May and subsequent inquiries from FERC Opens Supply Chain Cyber Risk Inquiry.) These risks can both “create issues within individual entities [and] collectively … cause disruptions within the [bulk electric system].”

New Risks to Modeling, Rating

NERC Cybersecurity
| NERC

In calling out utilities’ inadequate modeling, the report focuses on new technologies, such as distributed energy resources and inverter-based generation. Shortcomings in utilities’ approach to both resources have been frequently noted by NERC and the REs in recent years; for example, in a joint report issued in August, NERC and WECC warned that many utilities in the Western Interconnection use outdated models, or none at all, for their solar and wind generation resources. (See NERC, WECC Warn of Inverter Modeling Gaps.)

In addition, the report’s “Gaps in program execution” section notes that inaccurate, outdated facility ratings pose a significant challenge to creating useful planning models. Rating violations may occur because of change management systems that are either not enforced or not rigorous enough to document all relevant updates. This year also saw many utilities introduce travel limitations and physical distancing requirements in light of the pandemic, which “complicated … inspection and maintenance programs,” NERC said.

The remaining areas revisit last year’s report. In the “Loss of major transmission equipment” section, NERC urges utilities to prepare for scenarios that can “reduce contingency margins” while personnel seek replacements for equipment with long manufacturing lead times. These include aging infrastructure, natural disasters and deliberate attacks such as an electromagnetic pulse, along with pandemic-related supply chain complications.

Under “Inadequate real-time analysis during tool and data outages,” the report notes the need for registered entities to “be able to demonstrate how their real-time assessment is sufficient … during the loss of primary tools or data sources.” The final section, “Determination and prevention of misoperations,” aims to remind utilities that protection systems that operate at the wrong time can be just as dangerous to the BPS as those that fail to operate at all.

Data Submittal Schedule Released

Alongside the CMEP Implementation Plan, NERC last week also published its Periodic Data Submittals (PDS) Schedule for next year. The PDS is updated annually to inform registered entities of data submittals required by NERC’s reliability standards, along with their deadlines. Data requests issued under sections 800 and 1600 of NERC’s Rules of Procedure are not included in the list.

Next year’s PDS largely carries over the schedule from 2020. Exceptions include the addition of two standards — BAL-001-TRE-2 (Primary frequency response in the ERCOT region) and TPL-007-4 (Transmission system planned performance for geomagnetic disturbance events) — that became effective in 2020 but were not included in this year’s schedule. In addition, PRC-004-WECC-2 (Protection system and remedial action scheme misoperation) and PRC-016-1 (Remedial action scheme misoperation) will become inactive in 2021 and have been removed from the schedule.

CIP-008-6 (Cybersecurity — Incident reporting and response planning) and PRC-012-2 (Remedial action schemes) are set to take effect next year as well. However, they were not included in the schedule for 2021.

CMEPNERC & Committees

Leave a Reply

Your email address will not be published. Required fields are marked *