NERC Outlines Top 9 Risks to Bulk Power System

The North American Electric Reliability Corporation (NERC) releases report sharing insights and tips to help utility industry professionals identify, prevent or at least mitigate threats to the Bulk Power System (BPS).

Risk Categories

NERC, the electric reliability organization (ERO) covering North America, categorizes risk into three categories:

• High risk: Cybersecurity vulnerabilities, changing resource mix, BPS planning, and resource adequacy.
• Moderate risk: Loss of situational awareness, physical security vulnerabilities, and extreme natural events.
• Low risk: Asset management and maintenance, human performance and skilled workforce.

While weather-related events remain the most common threats, it’s no surprise that NERC places cybersecurity issues at the very top of the threat pyramid. Cyber threats are becoming more sophisticated and increasing in number.

Cybersecurity Threats Can Hit Hard

Exploitation of cybersecurity vulnerabilities can result in loss of control or damage to the BPS, voice communications, data, monitoring, protection and control systems and others, leaving people in the dark and cold for extended periods of time.

NERC Asks For Industry Help

NERC calls on the industry to work with it to adopt a “nimble, multipronged approach” to address the continually evolving cybersecurity threat. It offers several examples. For instance, it wants to see increased information sharing and analysis centers (E-ISAC) participation and products, peer reviews and assistance visits to move to what it calls a “best-practices” model. It also wants to see recommendations to address new and less well-defined threats.

Importance of BPS Planning & Risk Management

BPS planning is also critical to risk management. NERC says the ERO Enterprise should coordinate with the industry, manufacturers and developers of asynchronous resources to develop and make available accurate dynamic models. The ERO should also work with industry to:

• Identify type and frequency of information needed from distributed energy resources.
• Create guidelines and best practices for developing and maintaining accurate system, dynamic and electromagnetic models that include transmission, resources, load, and controllable devices for use in long-term and operational planning
• Continue to assess ERS performance to develop necessary guidelines to determine if Reliability Standards are required.
• NERC should also continue to collaborate with Planning Coordinators to expand development of interconnection-wide models commensurate with expected dispatches. This collaboration will support the ability to conduct more effective long-term planning assessments.

How To Identify Resource Pitfalls

The report also stressed the importance of resource adequacy and performance. Here, it says the ERO Enterprise should:

• Continue to improve modeling and probabilistic methods with industry to evaluate resource adequacy to include impacts from ERS, unit retirements, and load and resource variability during different time frames, including shoulder months.
• Assess and develop mitigation recommendations to address single points of disruption, such as fuel contingencies, that will result in large resource outages.
• Develop new measures of reliability beyond reserve margins, including the sufficiency of ERS.
• Continue to assess vulnerabilities of fuel availability as part of evaluating resource adequacy and operational capability.

Additional Analysis Needed

The utilities industry needs to do its part, too, the report stresses. It should evaluate opportunities to develop more accurate short-term load forecast models.

Industry should also analyze data requirements necessary to ensure there is sufficient detail on the capability and performance of the BPS as it is impacted by distributed energy resources. Industry should also gather data beyond simple demand forecasts and expand to identify resource capacity, location and ERS capability.

Powerful NERC Compliance Management Solutions Needed

With the level and intensity of these more sophisticated threats utility compliance officers must adopt a powerful automated NERC compliance management system. AssurX has worked closely with a major utility on a comprehensive implementation of AssurX’s Energy & Utilities Enterprise Management System.

The implementation created highly automated and integrated workflows designed to address the new NERC CIP compliance regulations. Specifically, they addressed NERC Cyber CIP-002-5.1 and CIP-007-6. The AssurX workflows address asset management, software/firmware patch management, change management, and controls.

Solutions provide a complete real-time audit trail of all changes and modifications made to an asset during its lifetime. That includes its installed software/firmware patch history. The AssurX workflows include calendar-driven recurring review tasks, reminders, escalations, email notifications and esignatures of compliance and operations managers.