Search
`
September 29, 2024
SERC Open Forum Briefs: May 11, 2020
Leadership Applauds Entities’ Pandemic Response
May 12, 2020
SERC has seen no “significant issues” among its registered entities related to the COVID-19 pandemic, attendees of the entity’s Q2 Open Forum heard.

SERC Reliability has seen no “significant issues” among its registered entities related to the COVID-19 pandemic, senior critical infrastructure protection compliance specialist Rick Dodd told attendees of the regional entity’s Q2 Open Forum.

“It seems that the registered entities are doing a fabulous job. … Even with all the stay-at-home orders that are out there, work seems to be getting done, and we appreciate that greatly,” Dodd said.

According to Dodd, the RE has received 13 COVID-19 impact notice forms to date, in accordance with FERC and NERC’s decision in March to relax some compliance burdens on utilities because of the outbreak. (See FERC, NERC Relax Compliance in Light of COVID-19.) The functions affected include maintaining personnel certification, performance of required periodic actions, and on-site activities such as audits and certifications.

SERC is also working with NERC to address issues raised by its entities regarding further effects of the outbreak on their operations. While the RE answers region-specific issues on its own website — including SERC’s audit schedules and details about filling out the impact notice form — questions that have ERO-wide implications are being routed to NERC to be answered on its compliance monitoring and enforcement program page. The ERO had received 37 questions from all regions as of Thursday.

Success in Audits Takes Ongoing Commitment

Many registered entities can do more to prepare for audits from their REs, according to members of SERC’s assistance program that have worked with utilities on their internal compliance programs.

SERC Open Forum
| SERC Reliability

“Compliance should be a continual process for [you]; it should be woven into your daily work life fabric just like, say, safety is,” said Wayne Ahl, a senior reliability and security adviser at SERC. “So, don’t wait until the audit notification letter comes out to scramble all the jets; you should be [thinking] about evidence and compliance and security … so that you don’t have to start over each audit.”

Ahl identified several common elements of successful audit preparation plans, starting with “Entity 101,” a brief presentation for auditors incorporating essential data such as generating and transmission capacity, along with an outline of compliance procedures and personnel involved. Auditors find this kind of information very helpful, particularly when they have not encountered the entity before, he said.

When an entity receives an audit notification, it should set clear goals, define roles and responsibilities for relevant personnel, and lay out reasonable timelines with adequately spaced deadlines, Ahl noted. Personnel must be adequately trained to perform their tasks while also being empowered to work without overcrowding their schedules with unnecessary meetings, and they should know when to reach out for a new perspective.

“Once you complete the RSAWs [reliability standard audit worksheets], bounce them off someone else in your company … relevant or competent personnel that aren’t directly associated with [the audit]. Let them have a fresh look at it, and it often will help you [improve] your RSAWs and your evidence production,” Ahl said.

Vigilance Recommended for CIP Compliance

Violations of NERC reliability standard CIP-005-6, governing cybersecurity personnel and training, are an ongoing concern at SERC, according to Justin Kelly, senior CIP auditor at the RE.

Kelly’s presentation to the Forum focused on Requirement 5, which pertains to revocation of access to bulk electric system cyber systems. Many of the shortfalls regarding this requirement involved failures of third parties to notify registered entities of the termination of relevant personnel. “There were issues all over the board with this,” Kelly said. Causes of violations included:

  • using an incorrect or out-of-date email address;
  • sending emails on holiday weekends when they were likely to be overlooked;
  • emails not being recognized as urgent; and
  • mistakenly sending notifications to someone with a similar name to the intended recipient.

Kelly said that his team has seen utilities begin to set timely notification requirements for third parties and enforce them more rigorously. He warned that entities will need to maintain their activities in this regard. Because the roster of third parties working with a given entity is typically fluid, utilities must constantly ensure that their partners are aware of the latest requirements.

CIPSERC
KeywordsCOVID-19cybersecurity
Holden Mann
Ballot Opens on Proposed GMD Revisions
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
FERC Reliability Conference to Highlight Resource Adequacy
Sep 26, 2024FERC & FederalHolden Mann
2
DHS Offers $280M in Grants for Cyber Investments
Sep 24, 2024State RegulationHolden Mann
3
Texas RE Endorses ERO Enterprise Strategy
Sep 23, 2024Regional EntitiesTom Kleckner
4
WECC, Members Grapple with Strategic Vision
Sep 19, 2024Regional EntitiesElaine Goodman
5
FERC Proposes Further Cybersecurity Measures
Sep 19, 2024Standards/ProgramsHolden Mann

Popular Stories

1
Study: HVDC Needs Standards to Take off in US
Sep 9, 2024Standards/ProgramsJames Downing
2
Webinar Examines How FERC Could Use Interregional Transmission Study
Sep 9, 2024FERC & FederalJames Downing
3
WECC, Members Grapple with Strategic Vision
Sep 19, 2024Regional EntitiesElaine Goodman
4
Consumer Response Saved Alberta Grid During Jan. 2024 Cold Snap
Sep 11, 2024Regional EntitiesElaine Goodman
5
FERC Proposes Further Cybersecurity Measures
Sep 19, 2024Standards/ProgramsHolden Mann

Industry Gatherings