Cybersecurity ranks as the top reliability risk in the Southeast, followed by extreme weather events and the integration of variable energy resources, SERC said Tuesday during a quarterly open forum, where it reviewed its 2020 Risk Report.

“One thing consistently being number one is cybersecurity threats resulting from exploitation — both internal and external players,” said Gaurav Karandikar, SERC manager for reliability assessment, performance analysis and technical services.

The report focuses on risk management and communication, prioritizing risks based on the probability of occurrence and severity of impact to the region.

“The report is central to everything and anything we do here at SERC,” Karandikar said. “Prioritizing risk enables us to mobilize and deploy our resources to address those risks with the most important impact.”

Borrowing from NERC’s 2019 ERO Reliability Risk Priorities Report, SERC now defines risks in four high-level categories: grid transformation, extreme natural events, security vulnerabilities and critical infrastructure interdependency.

“Gathering that information at a departmental level and a regional level is so important to understanding the ambient risk of our entities,” Karandikar said. “And the risks that are emerging are being reduced through our efforts. We want to make sure that we are spending the resource at the right place.”

Entity Assistance Goes Virtual

Bill Peterson, SERC manager for outreach and training, reviewed the assistance given to entities over the past year, mostly virtual because of the pandemic, and the lessons learned, distinguishing between voluntary outreach programs and mandatory compliance activities.

“I’m happy to share that we were very busy last year, just had to change a little bit how we went about doing things,” Peterson said.

The team completed nearly 50 requests for assistance, comparable to 2019, but made no on-site visits, down from 13 the previous year.

“We had a lot of questions on the pandemic and impacts that has on SERC programs,” he said. “We spent quite a bit of time with entities working on the challenges and finding solutions, and in particular supply chain was a big focus area for many of us.”

Lessons learned in supply chain assistance included the need to use asset lists to identify procurements and vendors, use patching sources to identify software vendors and consider requiring vendors to provide a detailed bill of materials, he said.

Industry Experts, Align Update

The pandemic reduced the use of volunteer consultants from registered entities, but SERC nonetheless required the services of an Industry Subject Matter Expert (ISME), according to a report by Todd Curl, SERC senior manager for compliance monitoring.

“Occasionally we have an audit where the manager feels we have a little bit of a technical gap here and may recommend the services of an ISME,” Curl said. “Once we vet folks for participation in the program, we have a good resource pool.”

SERC selects volunteer ISMEs based on their technical expertise in operations, planning and cybersecurity, Curl said, encouraging anyone interested in applying to write to ISME@serc1.org.

Curl also presented an update on the rollout of the new Align compliance monitoring and enforcement program tool, which is scheduled to go live May 24.

“With the implementation of Align, all the regional entities in the ERO will be using a common system and consistent processes for managing compliance monitoring and enforcement program activities with their entities,” Curl said. The Align rollout consists of three releases, with full implementation by the end of this year.

Learning from Remote Auditing

The pandemic required audits be done remotely, compounding the challenges of evaluating compliance but also providing valuable lessons for the future, according to a report on remote auditing by SERC and Reliability First (RF).

Stephen Brown, SERC manager for critical infrastructure protection (CIP) monitoring, said most registered entities readily agreed to move to remote audits last March, a willingness he attributed to the good relationships and strong communication between SERC and its members.

Performance audits are stressful, but their scope is consistent with the registered entity’s risk to the bulk electric system, Brown said.

“This was a strong effort and something that came out of 2020 that I really want to take bits and pieces from … and move them into 2021 and beyond,” Brown said.

Zack Brinkman, RF manager for CIP monitoring, agreed; “If you would have said prior to 2020 that we could audit six CIPs during an offsite review, you would have gotten some interesting looks, but the regions brainstormed new ideas, [and] we were able to come up with a method to do so.”

RF and SERC both adopted an approach that was being used in another region, which leveraged a template, allowing them to collect evidence in one shot, minimizing the amount of time needed for each location, Brinkman said.

Winter Weather Readiness

Balancing authorities and market operators should consider bringing units to minimum load prior to anticipated severe cold weather, said SERC Program Manager for Event Analysis, Hassan Hamdar, who presented on the NERC reliability guideline for generating unit winter weather readiness.

NERC reliability guidelines are intended to share good practices to improve reliability of the bulk power system but do not represent binding standards. And while their use is strictly voluntary, entities are highly encouraged to follow them, Hamdar said.

“The purpose of this guideline is really to help share information on issues related to cold weather where we’re not used to seeing cold weather,” he said. “It’s really prolonged cold weather that really impacts. The driver for this guideline was the 2011 cold weather event that occurred in Texas, though that’s not the only place it’s happened, and that wasn’t the first time it happened.”