■ Cybersecurity protection of critical infrastructure, such as generation control systems.
■ Maintenance and management of assets, such as facility ratings and protection system maintenance.
■ Planning and system analysis, with a focus on capacity emergencies and the changing generation resource mix that is occurring on the grid.
Due to regional differences, as well as the fact that the North American grid is composed of four distinct interconnections, MRO performs a similar exercise to identify risks that are unique to the region or the Eastern Interconnection. This analysis is done using region-specific data such as root causes of power system events or major regional system infrastructure changes, and it is informed by trends identified through compliance monitoring. Examples of regional risks that were identified by MRO for 2016 include:
■ Implementation of facility ratings—ensuring that the maximum power flow through a facility does not violate applicable equipment ratings. For example, a generator should not be sized larger than its associated generator step-up (GSU) transformer, because at maximum generation output, the GSU would become overloaded.
■ Telecommunications infrastructure between primary and backup control centers.
■ Changes in planning coordinator and regional transmission organization (RTO) footprints within MRO.
Finally, in order to develop a customized oversight plan for an individual entity, MRO must analyze an entity’s unique risks, informed by the knowledge of continent-wide and regional risks.
Entity-specific risks are granular and require detailed analysis of entity-specific facilities, configurations, and the entity’s location on the grid. This work must be performed by technical power system and control system experts, using data such as system one-lines, generation interconnection agreements, restoration plans, and control system network diagrams. While the continent-wide and regional risk assessments are typically annual exercises and applicable to all entities, the entity-specific risk assessment is unique and must be conducted for each individual entity.
If this process is done correctly, the 5,000-MW GOP and the 100-MW GOP referenced as examples earlier would not receive the same oversight plan. Besides size, the GOP’s location on the grid is also likely different, as are the neighbors it interacts with and the depth of that interaction. One may be vertically integrated with transmission, while the other may operate but not own its own facilities. Each entity’s inherent risk is different, and a risk-based regulator should regulate them differently.
A Theoretical Example
Let’s look at an example, starting with risks and developing a customized oversight plan for a fictitious entity, Techie Generation Co. (TGC).
TGC is a 2,000-MW GO and GOP (it both owns and operates 2,000 MW of BPS generation assets). With regard to generation, the continent-wide risk examples listed earlier are all applicable. TGC operates generation, so it likely has a generation control system (a NERC-identified cybersecurity risk). TGC owns generation, so it is responsible for developing facility ratings and protecting those generation facilities from faults (NERC’s focus on maintenance and management of assets). And, because TGC owns and operates generation, it likely would have some role in responding to capacity emergencies (falling under NERC’s focus on planning and system analysis).
If TGC is located in the MRO Region, a few additional risks would be highlighted based on MRO’s identified regional risks, such as facility ratings and telecommunications infrastructure for backup control centers.
Taking the continent-wide and regional risks into consideration, TGC would then be analyzed based upon its specific facilities and configurations, a few of which would be:
■ Is any of TGC’s generation blackstart?
■ TGC’s fleet is 2,000 MW, but how big is each unit, and where is each located on the grid?
■ Who owns and operates the transmission system that TGC interconnects to, and what is the nature of that relationship? Is TGC also a transmission owner or a transmission operator?
■ Are there any remedial action schemes (RAS), such as automatic generation runback, in place? If so, how does the entire RAS work, and what is TGC’s role in that?
■ What does the network architecture of TGC’s generation control system look like? How does it receive setpoints for its generation facilities? Is the control system segregated from other internal and external networks?
The answers to these questions allow a Regional Entity like MRO to make determinations, based on entity-specific risk, as to which standards and requirements are most impactful to this entity and should be the focus of risk-based regulatory oversight. Additionally, a decision can be made as to the extent of applicability of continent-wide and regional risks to this entity.
The end result of answering these technical questions would likely culminate in an oversight plan partially represented as:
■ CIP-002-5 (Identification of BES Cyber Assets): Based upon the continent-wide risk of cybersecurity, the fact that the new Critical Infrastructure Protection Version 5 (CIP V5) standards are becoming enforceable in 2016 with new criteria for identifying cyber assets, as well as the size of this entity (2,000 MW) being such that it may have a generation control system classified as “Medium Impact,” a review of TGC’s process for identification of BES [bulk electric system] Cyber Assets is appropriate and warranted.
■ FAC-008-3 (Facility Ratings): Based upon the continent-wide risk of maintenance and management of assets, as well as the MRO regional risk of facility ratings, a review of TGC’s facility ratings would be part of its oversight plan.
Risk Assessments vs. Compliance Oversight Tools
It’s important to differentiate between the output of risk assessments and the use of compliance oversight tools. While the above standards have been identified as important for TGC based upon the continent-wide, regional, and entity-specific risks, a Regional Entity may perform oversight utilizing different compliance tools—self-certifications, spot checks, and audits.
CIP-002-5 is a good example of this. Because 2016 marks the implementation of the CIP V5 standards, the identification of cyber assets subject to the technical CIP requirements was identified as a continent-wide risk, which prompted the decision to have all Regional Entities gather and analyze this data (through data requests and, in some cases, guided self-certifications) in 2016. From a risk management standpoint, it wouldn’t make sense to wait until the next time an entity is audited to find out if it had issues with this foundational standard.
Similarly, facility ratings were identified as an issue in MRO’s region in recent years. MRO responded to this regional risk by issuing a guided self-certification of FAC-008-3 for entities within the MRO region, based upon this regional trend. MRO is not using the audit tool to evaluate either of these risks, but both CIP-002 and FAC-008 are being evaluated using a risk-based approach to compliance that is both timely and appropriately focused on specific risks.
Characteristics such as performance history or internal controls can also factor into the Regional Entity’s selection of compliance oversight tools to use for specific entities, or even subsets of compliance standards for a single entity. Just because a standard has been identified as material to an entity does not mean that it will be in an entity’s audit scope, or that it will receive any oversight; it depends on the strength of the entity’s internal controls or management practices, and on whether a region can rely upon the entity’s internal controls to the point of not having to perform oversight (or performing less oversight), even in an area that presents risk to the BPS.
The inherent risk doesn’t necessarily change, but the risk-based oversight plan adjusts to individual facts and circumstances so that oversight is appropriate and warranted.
Customized Oversight
The development of customized oversight plans is performed using analysis of continent-wide risks, regional risks, and entity-specific risks, with a relationship between those risks and the standards selected for oversight. The next step in the evolution of risk-based compliance monitoring and enforcement is consideration of the timing and frequency of oversight and selection of oversight tools based on risk.
That 5,000-MW GOP might need a visit every year (for a smaller audit focused in a certain area), while the 100-MW GOP might be able to have its oversight completely handled through self-certifications. It all depends on risk and performance. ■
—Richard Burt is vice president of risk assessment, mitigation, and standards for the Midwest Reliability Organization. Relying on his practical engineering experience at a generation and transmission cooperative, he has been instrumental in helping develop the risk-based approach at NERC and the Regional Entities.