November 18, 2024

Electric Industry Leads U.S. in Cybersecurity Protections

The North American Electric Reliability Corp. (NERC) issued $9.2 million in fines for violations of its cybersecurity rules between 2008 and October 2012, half of all fines issued over that period.

Violations of NERC’s Critical Infrastructure Protection (CIP) rules were involved in six of the top 10 penalties, including a $725,000 fine in October.

At a time when Congress has been unable to agree on cybersecurity legislation to protect the rest of the U.S. economy, there’s no doubt that NERC and the Federal Energy Regulatory Commission take the cyber threat seriously.NERC-reliability-violations-bar-graphs1

The industry has come a long way in the three years since I was sitting in on NERC audits as a member of the FERC enforcement staff. The new CIP rules approved by FERC last week will cover more assets and add more controls. They’ll no doubt be good for the business of IT consultants. Regulated utilities that are allowed to put the costs in rate base will be more than happy to spend the money.

But will it be enough to prevent the potential for what former Defense Secretary Leon Panetta called a “cyber Pearl Harbor”?

While Congress gave FERC authority to issue fines of up to $1 million per day per violation, the fines issued to date have been puny relative to the earnings of the companies involved — less than one-tenth of one percent of the companies’ net income (see table)CIP-Violators-chart

Meanwhile, a decision by NERC and FERC to stop disclosing the identities of CIP violators — so as not to expose the violators’ vulnerabilities — has removed any reputational risk that companies might fear. Since September 2011, virtually none of those penalized for CIP violations has been named.

In announcing the new CIP rules last week, FERC commissioners emphasized their desire to emphasize compliance over punishment. That’s a reasonable approach, especially when the rules are new.

But if there is no reputational risk and the financial penalties are not material, don’t be surprised if some companies decide that it’s better business to cut corners on cybersecurity.

Rich Heidorn Jr. 

FERC Remands DR Information Requirements

FERC ruled Friday that PJM must seek commission approval for new rules requiring demand response providers to provide officer certifications and additional information on their customers.

Acting on a complaint by three demand response providers, FERC said the changes required amendments to the PJM tariff and not just its manuals. Tariff changes require commission approval while manual changes don’t.

The rules, implemented March 28, require Curtailment Service Providers seeking to participate in capacity auctions to file “Sell Offer Plans,” including information about the provider’s customers. CSPs also must have a company officer sign a certification attesting to the company’s intent to physically deliver MWs.

The demand response providers filed the complaint April 3, saying the rules create unnecessary barriers to demand response participation in PJM’s capacity markets.

The plaintiffs’ procedural victory may be short-lived, however. In a statement concurring with the order, Commissioners Philip Moeller and Tony Clark indicated they would look favorably on the changes when PJM files them with the commission. “It appears that PJM has a legitimate need to require that demand resources provide certain information to substantiate offers to supply capacity,” the commissioners wrote.

The commissioners said the information was needed to prevent uncertainty that could “degrade the very purpose of PJM’s capacity market.”

Seeking “Bright Line,” FERC Leaves BES Appeal Rules Unclear

By Rich Heidorn Jr
PJM Insider

The Federal Energy Regulatory Commission gave final approval Thursday to NERC’s revised definition of the “Bulk Electric System“ (BES), the category of transmission facilities covered by NERC reliability rules (Docket #s RM12-6, RM12-7).

The new definition eliminates regional discretion and establishes a “bright-line” threshold including most facilities operating at or above 100 kV. Excluded from the definition are certain radial facilities.

The order includes a case-by-case exemption process for entities seeking to remove from BES status facilities that they believe should be characterized as local.

Thursday’s order reaffirmed FERC’s Dec. 20 ruling in the docket and rejected rehearing requests from several parties who said the commission’s explanation of the case-by-case exemption process was unclear. The  order did little to address the commenters’ concerns, however, containing several apparent contradictions (see below).

Reason for Change:

FERC directed NERC to develop the new BES definition in Order 743 (Nov. 18, 2010), saying the current process lacked sufficient oversight and led to inconsistencies between regions.

All reliability regions except the Northeast Power Coordinating Council, Inc. (NPCC) already use the 100 kV threshold. The commission said NPCC’s classifications of 100 kV facilities as local distribution were “subjective” and inconsistent and excluded “facilities that clearly are needed for reliable operation.”

The commission said the new threshold was appropriate because most 100 kV and above facilities operate in parallel with higher voltage facilities and experience similar loading. As a result, 100 kV facilities are relied upon during contingency scenarios and failures of such lines have caused cascading outages, the commission said.

The Commission also asserted that it can designate sub-100 kV facilities as part of the BES if they are necessary for the reliability of the transmission network, noting that such facilities were a significant factor in the Arizona-Southern California outages on Sept. 8, 2011.

Impact:

NERC had previously used 100 kV as a guideline for distinguishing between transmission and local distribution systems. The new order eliminates the phrase “generally operated at voltages of 100 kV or higher” in the current definition.

In its place is a new “core definition” covering all transmission elements and real power and reactive power resources connected at 100 kV or higher. The rule also lists five facilities configurations that are typically included in the BES and four that are excluded.

Newly-included elements have 24 months from the July 1, 2013 effective date to comply with reliability standards.

The commission required two changes to the NERC proposal, saying the exclusions for radial systems should not cover generator tie lines but should cover looped configurations connected below 100 kV.

The commission said most local distribution facilities will be automatically excluded by the 100 kV threshold and the local network exclusion (see exclusion 3). For those that aren’t, the new rules allow facility owners to appeal to NERC or FERC for a case-by-case review.

The “starting point” for FERC’s review will be the seven-factor test it set out in Order 888 (April 24, 1996). The seven “indicators” of local distribution include physical characteristics (local distribution facilities are normally in close proximity to retail customers, primarily radial and lower voltage) and functional characteristics (power flowing into local distribution systems is consumed in a restricted geographical area; it rarely, if ever, flows out to be transported to another market).

Confusion over Appeal Process

How NERC’s process will interact with FERC’s was the subject of much confusion after the Dec. 20 order.

In Order 743, the commission said that determining the line between transmission and local distribution should be part of NERC’s case-by-case exception process and directed NERC to develop rules for doing so.

In the Dec. 20 order, however, FERC announced that “while NERC’s case-by-case exceptions process is appropriate to determine the technical issue of whether facilities are part of the bulk electric system, the jurisdictional question of whether facilities are used in local distribution should be decided by the Commission.” (Emphasis added.)

Several parties filed responses saying that the Dec. 20 order created a confusing and potentially duplicative process.

“Will the processes run concurrently? If not, which process (NERC’s “technical” consideration or FERC’s “jurisdictional” consideration) is conducted first?” the National Rural Electric Cooperative Association asked in a Jan. 22 request for clarification or rehearing.

The Transmission Access Policy Study Group (“TAPS”) and Electricity Consumers Resource Council (“ELCON”) called FERC’s solution confusing and unwieldy. “Would NERC be bound by prior FERC determinations? Would FERC reopen NERC determinations? Are there issues that NERC would not be permitted or required to consider, or that entities would not be permitted to raise, in the exception process? Would one process be delayed pending completion of the other process?” the organizations asked in their petition.

FERC Response

In Thursday’s order, FERC denied the rehearing requests and attempted — without much success — to address the confusion.

FERC said that entities whose facilities are not excluded by NERC under the core definition and exclusions “may appeal a final NERC exceptions process decision to the Commission.” (Paragraph 91)

But it also said entities can petition FERC directly without filing first with NERC and that FERC’s “inquiry is a distinct process not made in connection with review of NERC exception process decisions.”(P 90)

The two processes, FERC said, “are separate, not concurrent and will be used for different determinations.” (P 89)

What the commission appears to be saying in paragraph 90 is that it will independently determine questions of whether a facility is used in local distribution or is part of the Bulk Electric System.

A separate question concerns whether a facility that is not used in local distribution should nonetheless be excluded from NERC’s reliability standards because it is not necessary for the grid’s reliability. In paragraph 91, the commission appears to say that this determination is initially NERC’s call, but can later be appealed to FERC.

A NERC spokeswoman told PJM Insider yesterday that it was still reviewing the order and had no immediate comment. A FERC spokesman said he was unable to elaborate on the order.

The bottom line: Unless the commission provides further clarification,  it may fall to the appellate courts to sort out this tangle.

Highlights of CIP Version 5

CIP version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised.

Categorization of risk

CIP–002–5 (BES Cyber System Categorization) will require entities to categorize all BES Cyber Systems according to impact that “loss, compromise, or misuse” of the systems could have on the reliable operation of the grid.

  • High Impact facilities, which include large control centers and backup centers that perform the roles of the Reliability Coordinator, Balancing Authority (for generation of 3,000 MW or more in a single Interconnection), Transmission Operator or Generator Operator.
  • Medium Impact facilities are generation and transmission facilities (similar to those identified as Critical Assets in CIP-002-4) and control centers not identified as Critical Assets in CIP-002-4.
  • Low Impact facilities are all other BES Cyber Systems. This establishes protections for systems not covered by CIP Version 4.
Risk mitigation
  • CIP-003-5 (Security Management Controls) requires that low impact systems implement policies for cybersecurity awareness, physical security, electronic access, and incident reporting. The commission ordered NERC to provide more detail on these requirements.
  • CIP-004-5 (Personnel and Training) requires programs for security awareness, cyber security training, personnel risk assessment, and access management.
    • Expands training requirements and adds identification of roles requiring training.
    • Includes rules for electronic interconnectivity and storage media;
    • Specifies that the seven-year criminal history check covers all locations where an individual has lived for six consecutive months or more, regardless of official residence; and
    • Requires companies to revoke access for terminated employees immediately, instead of within 24 hours. Also requires immediate revocation for those no longer needing access (e.g., transferred employees).
  • CIP-005-5 (Electronic Security Perimeter(s)), focuses more on discrete Electronic Access Points; requires two security measures for detecting malicious communications so that Cyber Assets do not lose all perimeter protection if one measure fails.
  • CIP-006-5 (Physical Security of BES Cyber Systems) requires a physical security plan to protect BES Cyber Systems; clarifies that high impact systems must have at least two physical access controls protecting security perimeters; increases testing from every three years to every two years.
  • CIP-007-5 (Systems Security Management) is modified to make the requirements less dependent on specific technology so that they will remain relevant for future technologies; increases and clarifies testing requirements.
  • CIP-008-5 (Incident Reporting and Response Planning) specifies incident response requirements, including one requirement to report cyber security incidents to NERC’s Electricity Sector Information Sharing and Analysis Center (ES‐ISAC) within one hour and another for after-action reviews.
  • CIP-009-5 (Recovery Plans for BES Cyber Systems) specifies requirements for recovery plans, including testing every 36 months.
  • CIP-010-1 (Configuration Change Management and Vulnerability Assessments) is a new standard that consolidates requirements from previous versions of CIP-003, CIP-005 and CIP-007; includes requirements to detect unauthorized modifications to BES Cyber Systems.
  • CIP-011-1 (Information Protection) is a new standard that consolidates the information protection requirements from previous versions of CIP-003 and CIP-007; includes requirements to prevent unauthorized access to BES Cyber System Information and specifies reuse and disposal provisions to prevent unauthorized dissemination of protected information.

Bulk Electric Systems (BES) Inclusions and Exclusions

  • I1 – Transformers with the primary terminal and at least one secondary terminal operated at 100 kV or higher unless excluded under Exclusion E1 or E3.
  • I2 – Generating resource(s) with gross individual nameplate rating greater than 20 MVA or gross plant/facility aggregate nameplate rating greater than 75 MVA including the generator terminals through the highside of the step-up transformer(s) connected at a voltage of 100 kV or above.
  • I3 – Black start Resources identified in the Transmission Operator’s restoration plan.
  • I4 – Dispersed power producing resources with aggregate capacity greater than 75 MVA (gross aggregate nameplate rating) utilizing a system designed primarily for aggregating capacity, connected at a common point at a voltage of 100 kV or above.
  • I5 – Static or dynamic devices (excluding generators) dedicated to supplying or absorbing Reactive Power that are connected at 100 kV or higher, or through a dedicated transformer with a high-side voltage of 100 kV or higher, or through a transformer that is designated in Inclusion I1.
Exclusions:
  • E1 – Radial systems: A group of contiguous transmission Elements that emanates from a single point of connection of 100 kV or higher and: a) Only serves Load. Or, b) Only includes generation resources, not identified in Inclusion I3, with an aggregate capacity less than or equal to 75 MVA (gross nameplate rating). Or, c) Where the radial system serves Load and includes generation  resources, not identified in Inclusion I3, with an aggregate capacity of non-retail generation less than or equal to 75 MVA (gross nameplate rating).
  • E2 – A generating unit or multiple generating units on the customer’s side of the retail meter that serve all or part of the retail Load with electric energy if: (i) the net capacity provided to the BES does not exceed 75 MVA; and (ii) standby, back-up, and maintenance power services are provided to the generating unit or multiple generating units or to the retail Load by a Balancing Authority, or provided pursuant to a binding obligation with a Generator Owner or Generator Operator, or under terms approved by the applicable regulatory authority.
  • E3 – Local networks (LN): A group of contiguous transmission Elements operated at or above 100 kV but less than 300 kV that distribute power to Load rather than transfer bulk-power across the interconnected system. LN’s emanate from multiple points of connection at 100 kV or higher to improve the level of service to retail customer Load and not to accommodate bulk-power transfer across the interconnected system. The LN is characterized by all of the following:
    • Limits on connected generation: The LN and its underlying Elements do not include generation resources identified in Inclusion I3 and do not have an aggregate capacity of non-retail generation greater than 75 MVA (gross nameplate rating);
    • Power flows only into the LN and the LN does not transfer energy originating outside the LN for delivery through the LN; and
    • Not part of a Flowgate or transfer path: The LN does not contain a monitored Facility of a permanent Flowgate in the Eastern Interconnection, a major transfer path within the Western Interconnection, or a comparable monitored Facility in the ERCOT or Quebec Interconnections, and is not a monitored Facility included in an Interconnection Reliability Operating Limit (IROL).
  • E4 – Reactive Power devices owned and operated by the retail customer solely for its own use.

What You Need To Know About CIP Version 5

NERC’s version 5 Critical Infrastructure Protection (CIP) rules include 10 standards, two of them new.

The commission’s conditional approval of version 5 came in the form of a Notice of Proposed Rulemaking. The commission will accept comments on the new rules for 60 days after their publication in the Federal Register.

The commission said NERC had not provided justification for setting a 24-month implementation period for High Impact and Medium Impact BES Cyber Systems, and a 36-month implementation period for Low Impact systems.

CIP version 3 (CIP-002-3 through CIP-009-3) will remain in effect until the effective date of version 5.  Version 4 (CIP-002-4 through CIP-009-4) will not take effect as originally planned.

Version 5 requires registered entities to classify all of their Bulk Electric System (BES) facilities based on their impact on reliability. The Low, Medium or High impact categories replace the previous approach, in which facilities were either covered or not covered by CIP standards.

NERC Critical Infrastructure Protection Violations 2008-2012
NERC Critical Infrastructure Protection Violations 2008-2012
Reason for Change:

Version 5 adds new cybersecurity controls and extends the scope of the systems protected by them. Many of the changes were directed by the Commission in Order 706 (Jan. 18, 2008).

The shift to identifying and categorizing high, medium and low impact systems was based on a review of the National Institute of Standards and Technology (NIST) risk management framework for categorizing and applying security controls.

Impact:

Version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised (see Highlights of CIP Version 5). It includes 15 newly defined terms, modifications to four existing terms and retires two terms: Critical Assets and Critical Cyber Assets.

Systems at all impact levels must be within a security zone that provides protection from outside influences using a posture of “mutual distrust.” No communications crossing the perimeter is trusted, regardless of where the communication originates.

To Be Determined:

The commission approved most of NERC’s proposals but said it may require NERC to change requirements that entities “identify, assess, and correct” deficiencies. The commission said it was concerned that the phrase was “unclear with respect to the compliance obligations it places on regulated entities and … too vague to audit and enforce compliance.”

The commission said it may require NERC to either change the language or provide details for how it would be applied and how compliance could be audited.

The commission also said NERC had not provided a “clear roadmap” for what operators of low impact facilities must do to achieve compliance.

NERC proposed an implementation period of 24 months for all but those regarding low impact systems, which would have 36 months to comply.  The commission said NERC had not explained its rationale for the implementation plan and said it will order quicker compliance unless NERC or other commenters “provide reasonable justification” for the proposed time frame.

(For a full list of what’s included in CIP Version 5, click here.)

Cost Recovery Criteria OK’d

The Commission approved criteria for determining which NERC activities are eligible for cost recovery under section 215 of the Federal Power Act.

Reason for change:

A FERC audit issued last year recommended the development of the criteria.

Impact:

The criteria restrict funding to “statutory” activities such as those involving the development, monitoring and enforcement of reliability standards, along with related training.

FERC will use the criteria in approving NERC’s annual budgets. Expenses approved by FERC are eligible for cost recovery from end users.

The commission ruled that the proposed criteria were generally acceptable but required replacement of the term “involve or support” with the term “necessary or appropriate” as the basis for funding. The commission said the former term was too broad and provided no practical limitation on funding.

Cyber Asset Definitions

Programmable electronic devices and communication networks including hardware, software and data.

Bulk Electric System (BES) Cyber Asset

A cyber asset which, if lost, damaged or misused would within 15 minutes affect the reliable operation of the grid. Redundancy of affected facilities is not considered when determining adverse impact. The definition excludes assets connected to the grid for 30 consecutive days or less that are used for data transfer, vulnerability assessments, maintenance, or troubleshooting.

FERC OKs New Reliability Standards

Expanded Cybersecurity Focus

New Approach for Generators

WASHINGTON — The Federal Energy Regulatory Commission gave preliminary approval Thursday to a rewrite of cybersecurity rules and set a “bright line” requiring most facilities at 100 kV or higher to abide by them.

The commission issued four orders approving proposals by the North American Electric Reliability Corp. (NERC). Included were:

  • A new definition of transmission facilities covered by NERC reliability rules that upgrades the longstanding 100 kV threshold from a guideline to a directive. Regional discretion on the definition of Bulk Electric Systems (BES) is eliminated. (more)
  • Version 5 Critical Infrastructure Protection (CIP) standards, which replace the current “in or out” designations with a tiered approach which classify assets as high, medium or low impact. The commission said version 5’s improvements were important enough that companies now operating under CIP version 3 will skip CIP Version 4, due to take effect date, April 1, 2014, and transition directly to version 5. (more)
  • New rules for generator interconnections that will eliminate the need for most generators to register as transmission operators. (more)
  • Criteria for determining which NERC activities are eligible for cost recovery. (more)

New Reliability Rules for Generator Interconnections

The commission issued a Notice of Proposed Rulemaking for four new reliability standards addressing vegetation management and facility connection requirements for generator interconnection facilities (also known as generator tie lines).

Reason for Changes:

FERC had encouraged NERC to identify reliability standards specific to generator owners and operators with interconnection facilities including transmission lines. Eliminating the need for generators to register under the transmission function will allow them to focus on reliability standards specific to them, NERC said.

Impact:

  • FAC-001-1 requires a Generator Owner to publish facility connection requirements when it executes an agreement to evaluate the reliability impact of interconnecting a third party facility to its tie line.
  • FAC-003-3 requires a Generator Owner to perform vegetation management on its tie line.

Standards PRC-004-2.1a (Analysis and Mitigation of Transmission and Generation Protection System Misoperations) and PRC-005-1.1b (Transmission and Generation Protection System Maintenance and Testing) establish generation owners’ responsibility for the FAC requirements as they apply to tie lines.

In most cases, NERC said, these are the only reliability standards that apply to generator interconnection facilities. The changes do not affect the requirement that generators comply with other reliability standards unrelated to tie lines, such as those covering system restoration plans and notification of equipment failures.

Generators currently registered under transmission functions will have to apply to change their certifications under the NERC Rules of Procedure.