December 22, 2024
Grid Transformation, Cybersecurity Lead 2021 ERO Risk Report
Industry Survey Informs Risk Rankings
Respondents' ranking of the 11 risks identified in NERC's 2021 ERO Reliability Risk Priorities Report by criticality. Stakeholders were asked if each risk is still relevant and to rank them from 1-11, with 1 lowest and 11 highest. Responses were grouped into "Low" (1-4), "Moderate" (5-8), and "High" (9-11).
Respondents' ranking of the 11 risks identified in NERC's 2021 ERO Reliability Risk Priorities Report by criticality. Stakeholders were asked if each risk is still relevant and to rank them from 1-11, with 1 lowest and 11 highest. Responses were grouped into "Low" (1-4), "Moderate" (5-8), and "High" (9-11). | NERC
NERC's 2021 ERO Reliability Risk Priorities Report highlights 11 key areas of risk for the electric industry and recommends a host of mitigating activities.

Industry stakeholders think cybersecurity and a rapidly shifting resource mix are the greatest risks faced by the North American bulk power system, according to the 2021 ERO Reliability Risk Priorities Report released on Friday.

NERC’s Reliability Issues Steering Committee (RISC) publishes the Reliability Risk Priorities Report every two years in order to “strategically define and prioritize risks to BPS reliability.” The report is based on discussions among RISC members and industry representatives, including the annual Reliability Leadership Summit where participants discuss the impact of various risks. (See Panel: Industry Dialogue Key to Cyber Resilience.)

The committee also used the 2020 RISC Emerging Risks Survey, issued last December, to solicit “stakeholder input on the continued relevancy” of the 11 risks identified in the last report, released in November 2019. (See ‘Interdependencies’ Joins RISC’s List.) RISC performed this survey in 2019 as well but did not include detailed results in that year’s report; in addition, the new document sees electromagnetic pulse (EMP) broken out into a separate risk for the first time. Previously it was a subset of physical risk.

As with the 2019 report, reliability risks are grouped into four categories:

  • Grid transformation — covering BPS planning, resource adequacy and performance, loss of situational awareness, human performance and skilled workforce, control and protection systems complexity, and changing resource mix.
  • Security risks — physical security vulnerabilities, cybersecurity vulnerabilities and EMP.
  • Extreme natural events.
  • Critical infrastructure interdependencies.

Survey respondents were asked whether they still considered each risk from the 2019 report (as well as EMP) relevant — to which all agreed — and to rank them from 1-11 (least to most critical). RISC grouped these rankings into low (1-4), moderate (5-8) and high (9-11).

Concerns From Last Report Mostly Unchanged

Changing resource mix and cybersecurity vulnerabilities were the clear leaders of industry concern, with a substantial majority considering each a highly critical risk. EMP ranked at the bottom, with an overwhelming “low” rating and almost no “high” votes.

RISC also asked stakeholders to classify each risk as “manage” or “monitor.” “Manage” risks “are emerging, imminent, and pose significant threats,” requiring active planning and collaboration for mitigation. Risks identified as “monitor” are “of critical importance to BPS reliability” but don’t require additional mitigation activities beyond “established industry practices.”

The 2020 survey saw no change from the 2019 assessment for most risks other than loss of situational awareness and BPS planning, both of which went from “manage” to “monitor.” EMP, making its debut as a separate risk, was also assessed as “monitor.” Changing resource mix, cybersecurity vulnerabilities, resource adequacy and performance, and critical infrastructure interdependencies all remain managed risks, while the rest are monitored.

While industry stakeholders seem to devote the most care to the changing resource mix and cybersecurity risks, the report’s authors observed that other risks may contribute to the threat perceived from these two sources.

“With the recent grid transformation, the resource mix is increasingly characterized as one that is sensitive to extreme, widespread, and long duration temperatures as well as wind and solar droughts,” the report says. “For example, having sufficient capacity does not necessarily mean that adequate energy will be available as widespread extreme temperatures are experienced. Neighboring organizations may not necessarily always support each other as they are all experiencing the same conditions.”

Mitigation Recommended

The report also includes recommended mitigating activities to lower the impact of each category. For grid transformation, recommendations include updating data, modeling, and assessment requirements; developing an approach to “evaluate the potential impacts of energy storage on reliability;” improving BPS interconnection and operation of inverter-based resources while staying up to date on new technologies such as storage and hybrid resources; and ensuring “sufficient operating flexibility at all stages of resource and grid transformation.”

Risk-NERC-(NERC)-Content.jpg
Classification of “Manage” or “Monitor” for each risk, and its change from the 2019 report. Changing resource mix, cybersecurity vulnerabilities, resource adequacy and performances and critical infrastructure interdependence all are still considered “Manage,” while loss of situational awareness and BPS planning were both reduced to “Monitor.” EMP was not given its own classification in the 2019 report because it was considered a physical security vulnerability. | NERC

Mitigations for extreme natural events include conducting special assessments of past events to identify lessons learned and create simulation models; development of tools for BPS resiliency; and understanding the impact of geomagnetic disturbances on the BPS.

Security risks attracted the most attention, with recommended mitigations involving additional assessments of the risks of various attack scenarios; continued cyber education among utility staff; development of supply chain cybersecurity best practices by the North American Transmission Forum and North American Generation Forum; creation of security performance metrics; and development of “planning approaches, models, and simulation approaches that reduce the number of critical facilities and mitigate the impact relative to the exposure to attack.”

Highlighting the heightened importance of EMPs since 2019, the report also recommends that NERC’s EMP task force “highlight key risk areas that arise from the [Electric Power Research Institute’s 2019] EMP analysis for timely industry action.” (See EPRI Report Downplays Worst-Case EMP Scenario.)

Finally, mitigation of weaknesses from critical infrastructure interdependencies involves identifying limiting conditions from other sectors that could affect the BPS; working with critical infrastructure partners to identify mutual priorities; emphasizing cross-sector issues in industry drills such as GridEx; evaluating the need for special regional assessments addressing natural gas availability and pipeline impacts; and working on communication alternatives for critical supervisory control and data acquisition information.

RISC

Leave a Reply

Your email address will not be published. Required fields are marked *