Leadership Elections
The NERC Standards Committee on Wednesday elected Todd Bennett of Associated Electric Cooperative Inc. and Troy Brumfield of American Transmission Co. as its new chair and vice chair, respectively.
Bennett, managing director of reliability compliance and audit services at AECI, will replace current Chair Amy Casuscelli, of Xcel Energy, beginning next year. When she steps down, Casuscelli will have served as chair for two consecutive two-year terms.
Casuscelli said she would give Bennett a “long, elaborate speech” for her last committee meeting in December, but she did tell him that “the committee is going to be in really good hands under your leadership, so congratulations.”
The committee chose Bennett over Charles Yeung, executive director of interregional affairs for SPP; the vote count was not revealed. Prior to the vote, Yeung said he was not running to oppose Bennett, saying that “Todd would be as good as chair with his experience as I could be. However, I think I would bring to the team a lot of insight from” his experience leading the Project Management and Oversight Subcommittee (PMOS).
Comments about the number of ongoing standards projects and how to prioritize them were sprinkled throughout the committee’s discussions. “I think the primary struggle of standards today is the projects,” Yeung said. “As we heard today, a lot of the concerns are about scheduling and priorities, so that will be a primary driver of leadership of the Standards Committee in the future.”
After Bennett’s election, WECC’s Steve Rueckert nominated Yeung for vice chair to run against Brumfield, manager of reliability standards compliance for ATC, who was running unopposed. Rueckert hedged his nomination on the condition that Yeung wanted to serve in the position, which made Casuscelli laugh, and Yeung say he had “never heard a nomination like that” before accepting.
Committee members also were briefed on their own upcoming elections. The committee is made up of 20 members, comprising two from each sector serving staggered two-year terms; thus, 10 members are up for re-election this year.
Nominations will be accepted from Oct. 3-13, and the election will be held over Nov. 1-13. The results will be announced Nov. 16.
Proposed Update to Supply Chain CIP Standard Deferred
After an hourlong discussion, the committee voted 9-7, with three abstentions, to delay consideration of a NERC-proposed standard authorization request (SAR) to update CIP-013-2 (Cyber Security — Supply Chain Risk Management) pending consultation with the Reliability and Security Technical Committee (RSTC).
Committee members expressed reluctance to approve another standard development project that did not seem urgent and seemed to prescribe one-size-fits-all solutions.
The first version of the standard went into effect in 2020. It requires entities to implement security controls in their supply chains addressing software integrity and authenticity; vendors’ remote access; information system planning; and vendor risk management. An update that went into effect last year extended the requirements to electronic access control or monitoring systems, physical access control systems and protected cyber assets. (See FERC OKs Updated Supply Chain Standards.)
A NERC survey on CIP-013, along with two others addressing cybersecurity that were approved alongside it, in March 2022 showed that although they were helpful, about 40% of respondents were unclear as to what would constitute a violation of the standards’ requirements. (See NERC Reports Mixed Data on Supply Chain Progress.)
“Industry implementation is wide ranging and variable across the ERO Enterprise,” according to the proposed SAR. “The implemented industry supply chain risk processes are ambiguous and generally lack rigor for validating the completeness and accuracy of the data, assessing the risks, considering the vendor’s mitigation activities and documenting and tracking residual risks. … The lack of specificity for correctly identifying and assessing supply chain security risks may lead to incomplete or inaccurate risk evaluations.”
“The threat has changed,” Jamie Calderon, NERC manager of standards development, told the committee. “New attacks have been documented. … How entities are complying with CIP-013 introduces too much room for residual risk.”
But Marty Hostler, reliability compliance manager for Northern California Power Agency, said the SAR seemed to be more about “course-correcting, [so] this seems like a lower priority then. We’ve got well over 30 projects already, and NERC just issued some guidance … on what we should be doing, [which means] it’s already correcting the course.”
“We did not state that it was a high priority,” answered Latrice Harkness, NERC director of standards development. “However, this is something that we need to address for security purposes.”
Hostler was not fully convinced, saying, “It would seem like we need a little … more guidance on what the real issue is, because we’ve got this guidance out there, and I think that’s appropriate.”
Brumfield noted the many instances in which the SAR said the standard “lacks specificity.”
“It’s telling us to drill down and be more prescriptive,” he said.
“I’m a little [conflicted] on whether this should go forward or not,” Yeung said. “On one hand, there’s gaps” in the standard. “The concern I have is, will this SAR be successful? Because from a PMOS perspective, we’ve got so many [projects] already. … So I want to make sure this SAR is amenable to industry to move forward.”
Hostler moved that the committee send it to the appropriate RSTC subcommittee for technical review, which ultimately was approved.