November 22, 2024
Return of In-person ERO Compliance Audits Planned in 2022
Cybersecurity, Extreme Weather Among Risk Factors
Damage from this year's Hurricane Ida in Louisiana
Damage from this year's Hurricane Ida in Louisiana | Entergy
The ERO Enterprise's 2022 enforcement plan makes clear that regional entities are prepared to return to in-person audits in 2022.

Enforcement staff at the regional entities are prepared to return to in-person work in January after a year of remote audits caused by the ongoing COVID-19 pandemic, the ERO Enterprise’s 2022 Compliance Monitoring and Enforcement Program (CMEP) implementation plan (IP), released last week, indicated.

NERC and the regional entities develop the CMEP IP each year to identify “the ERO Enterprise’s high-level priorities for its CMEP activities” and provide “guidance to the employees of the ERO Enterprise involved with monitoring and enforcement.” Risk elements presented in the plan are chosen from a variety of sources, including NERC’s yearly State of Reliability Report and Long-term Reliability Assessment, as well as the biennial ERO Reliability Risk Priorities Report published by NERC’s Reliability Issues Steering Committee.

COVID-19 Enforcement Easing to End

The last two years have been unusual for the ERO Enterprise’s enforcement personnel: in May 2020, amid the surging COVID-19 pandemic, NERC and the REs announced an expansion of the self-logging program. FERC and NERC had already ordered the deferral of certain regulatory activities, including on-site activities by REs such as audits and certifications, in March. (See FERC, NERC Relax Compliance in Light of COVID-19.)

Those relief measures have been extended several times, though NERC announced in May that they would likely end for good at the end of 2021. (See NERC: Latest COVID Relief Extension Likely The Last.)

The authors of the CMEP IP noted that staff at the REs have adapted to the new environment by using “video technology and virtual meeting platforms” to carry out their enforcement duties.

“Throughout the pandemic, the ERO Enterprise recognized the importance of prioritizing the health and safety of personnel and the continued reliability and security of the BPS. We will continue to evaluate the circumstances to determine the need for additional guidance,” the plan said. “When conditions allow, the ERO Enterprise will prioritize monitoring activities and risks that benefit the most from on-site components, including some on-site activities deferred from 2020 and 2021.”

Range of Risks Noted

The priority risk elements included in this year’s implementation plan are:

  • Remote connectivity
  • Supply chain
  • Models impacting long-term and operational planning gaps in program execution
  • Protection system coordination
  • Extreme events

These risks are “not intended to be a representation of just ‘important’ reliability standard requirements,” according to the plan, but rather are meant to emphasize for registered entities where they should direct “collective focus within their operations” to address the biggest challenges to BPS reliability.

Remote connectivity and supply chain carry over from last year’s list, where they were listed as a single item. Their separation in this year’s implementation plan reflects the distinct challenges that have emerged with both.

In the case of remote connectivity, the danger arises from the many utility employees who have chosen or been required to work remotely amid the pandemic, creating the risk that employees may be tricked into giving up their login credentials to malicious individuals or ignore security procedures because of inconvenience. The plan authors urged compliance monitoring staff to “understand how entities manage the risk of remote connectivity and the complexity of the tasks the individuals perform” in order to spot areas where improvement may be needed.

Concerns about supply chain security, particularly in software, have risen over the past year, fueled by high-profile cyberattacks such as the SolarWinds hack in December that may have compromised thousands of companies in the U.S., as well as the ransomware attack on Colonial Pipeline in May. (See Experts Call for Cyber Shift in Response to Colonial Hack.) The CMEP IP noted that both events highlight the risk that similar attacks against electric utilities “collectively … could cause BPS cascading disruptions.”

The third item reflects concern about the lack of useful models for registered entities to use in planning future development, including the “integration and management of system assets.” This is especially important as utilities connect increasing amounts of distributed energy resources, which often behave very differently from traditional generators.

“With the recent and expected increases of both utility-scale solar resources and distributed generation, the causes of a sudden reduction in power output from utility-scale power inverters need to be widely communicated and addressed by the industry,” NERC said. “Entities with increasing inverter-based resources should be aware and address this within their models.”

For the fourth element, gaps in program execution, the authors noted that entities have had to make major changes to their procedures in the last two years because of the pandemic; although most had a contingency plan for pandemics, some of the planned measures had to be adjusted to the actual conditions, meaning that not all changes could be tested prior to their adoption. Enforcement staff were told to pay close attention to utilities’ inspection and maintenance programs, along with facility ratings that could become out of date caused by entities’ lack of care in logging system changes.

The risk in protection system coordination refers to entities’ awareness “of their protection systems and how they would react during extreme events.” In particular, the authors indicated that differences in how neighboring utilities address issues at their borders could present issues.

Finally, the report noted multiple extreme weather events, such as February’s winter storms in Texas and the Midwest and last year’s heat event in California. The authors warned that not only are such disasters becoming more frequent and severe, but “the grid transformation also heightens the effects and complicates mitigation of an extreme event.”

“Extreme events can stress the BPS and expose weaknesses such as poor coordination between neighboring entities in planning or operations,” the CMEP IP said, observing further vulnerabilities that could be exposed in this manner such as lack of proper spares, critical infrastructure interdependencies, and “aging infrastructure coupled with less than adequate maintenance.”

RISC

Leave a Reply

Your email address will not be published. Required fields are marked *