CLEVELAND, Ohio — ReliabilityFirst may expand the periodic preparedness exercises it conducts to include state and local authorities that would deal with the consequences of a grid catastrophe.
In remarks at RF’s quarterly meeting Thursday, CEO Tim Gallagher said he is considering developing a statewide group to focus on scenarios to deal with the “real vulnerabilities” if the grid were to fail, whether from a cyberattack, severe weather or other grid-threatening events.
As part of its mission, the agency conducts multiple “tabletop” grid catastrophe gaming exercises that include member companies as well as RF staff. Gallagher told the RF board of directors that he is considering involving state governments in future exercises because he sees a “potential lack of coordination.”
To test the hypothesis, Gallagher said he hopes to create an Ohio group that would “pull in communications providers, local governments and law enforcement.” Once developed, the scenario gaming process would be versatile enough to use in other states and by RF’s five counterpart regional entities across the nation, he said.
Representatives of both American Electric Power (NYSE: AEP) and FirstEnergy (NYSE: FE) at the meeting endorsed the idea.
In his opening remarks, George Hawkins, a NERC board member said it appeared that the pace of potential threats and responses to those threats seems to have accelerated since his arrival on the NERC board in 2015. Hawkins is a former regional EPA administrator and former CEO of the D.C. Water and Sewer Authority.
Hawkins pointed to three areas of increasing risk: 1) “internal changes” to the grid with a changing resource mix and generation retirements; 2) growth of “extreme” weather; and 3) cyberattack risks, particularly in light of the conflict between Russia and Ukraine.
Gallagher said he and Niki Schaefer, chief legal officer at RF, had been interviewing “selected trustees as part of our information gathering for updating the RF strategic plan.”
He said in recent years, RF has begun seeing a “drift” away from full compliance with NERC standards in some “facility operations.”
“That is a real risk. It’s a risk to safety; it’s a risk to reliable operations and planning; and it’s a risk to the proper administration of markets. Our entire footprint is market-dominated, so the [facility] ratings are extremely important in our footprint,” Gallagher said.
That drift has been reversed, he added. “We are nearing completion of our audits and the corrections with the collaboration of our industry partners across our footprint. And that’s a major risk taken off the table.”
“I can’t say too much about the impacts of the war that Russia started in Ukraine in an open session,” he added. “But I do want to share that the coordination and the sharing of information has been impressive.”
“We all continue to monitor progress and share [information],” he said, in reference to potential cyberattacks.
He revealed that RF auditors “were able to uncover multiple instances of a turnkey vendor system that left an open door into critical assets. That’s about as much as I can say. That door is now being closed, and I think that shows the power of the audits.”
“I know that no one likes to be audited; we were just audited by NERC,” he added, suggesting that outside audits should be looked at as “third-party risk analysis.”
“To my knowledge, there have not been any actual compromises,” he said. “But that does not mean that we should be comfortable. The future is unknown.
“Diligence is more required now and in the future than ever [before], and it’s not going to end. It’s not going to end when the actual physical conflict ends, which will hopefully be very soon but who knows, because I don’t know when the economic sanctions and all the other things will end,” he said about repercussions from the war.
“And there are a lot of things that are going on to retaliate in response to those [sanctions]. This is a marathon — I think we all know that now — not a sprint, and we need to be mindful,” he said of potential Russian cyber threats.
Annual Report
The RF 2021 annual report accompanying the agenda for the quarterly meeting noted an increase in noncompliance of NERC standards for Critical Infrastructure Protection (CIP) violations — including a jump in higher risk violations. NERC revised the CIP standards in 2016 in response to growing cyber threats.
The good news in the report was that most of the CIP violations in 2021 were self-reported rather than found in an RF audit.
“The percentage of noncompliance identified through self-reports and self-logs in 2021 was slightly higher than previous years, with entities self-reporting and self-logging 95% of noncompliance. This is a positive trend showing strong detective controls at entities and also relates to the increased numbers of self-logs (which are presumed to be minimal risk),” the report stated. “In other words, while the volume of violation intake remains high, the overwhelming majority are self-identified and many are presumed to be minimal risk.”
Marcus Noel, RF chief security officer, told the board that following the discovery in December of a vulnerability in open-source software Log4j affecting millions of applications and potentially allowing hackers to take control of a system, the RF team installed a patch and put firewall rules in place, including automatic detection rules.
He said the team also reviewed third-party software providers and cloud providers as well. More recently, in response to potential Russian threats, he said his group blocked some companies, especially those RF does not do business with.