FERC Approves New Cybersecurity, Transmission Reliability Standards

The Federal Energy Regulatory Commission (FERC) on Jan. 23 approved two new reliability standards related to transmission system planning performance and cybersecurity. However, it also proposed to retire 74 reliability standard requirements, which it deemed duplicative or unnecessarily burdensome.

Among the spate of actions it took on Thursday, FERC also green-lighted retaining the North American Electric Reliability Corp. (NERC) as the interconnected bulk power system’s Electric Reliability Organization (ERO), an electric reliability assurance organization mandated by the Energy Policy Act of 2005.

NERC to Continue as ERO

As a history book NERC recently published notes, NERC was voluntarily established 52 years ago by 12 regional and area utility organizations in response to the 1965 Northeast Blackout, but it was only certified as the ERO in July 2006, partly owing to its response to the massive Eastern Interconnection blackout in August 2003.

Over NERC’s thirteen years as ERO, FERC has conducted three performance assessments of NERC, and a draft order FERC issued on Thursday stemming from the latest one found that NERC and the bulk power system’s regional entities “continue to satisfy statutory and regulatory criteria” for ERO certification. FERC staff added that over the last five years, NERC has achieved a risk-based approach that “focuses ERO resources on matters of most significance to reliability,” despite rapid changes in the power sector.

Among significant initiatives, NERC developed more than 20 reliability standards and guidelines (compared to only two during the prior 2009–2014 assessment period) about numerous topics, such as for inverter resource performance, gas and electric operational coordination, generation loss of communications, distributed energy resource modeling, and cyber and physical security. It also issued multiple standards and lessons learned and alerts about “newly-discovered” risks in cyber security.” Other actions FERC lauded are that NERC enhanced the capability of the Electricity Information Sharing and Analysis Center (E-ISAC), and that it improved its oversight over regional entities by implementing the ERO Enterprise Program Alignment Process, FERC said.

Notably, however, FERC underscored NERC’s “increasing reliance on guidelines”—noting that NERC is currently developing numerous additional guidelines relating to topics such as cyber security, natural gas–fired generation fuel security, electromagnetic pulse, and inverter technology—and it directed the entity to provide a more “transparent” standards development process concerning guidelines.

NERC hasn’t notified FERC of a “formalized written process to steer the development and approval of guidelines or to provide feedback to the NERC standard development process on whether the guideline is effective,” FERC said. In some cases, that has meant guidelines—which may be precursors to mandatory standards—are “based on the input of a limited number of interested participants and NERC staff’s perspective is unknown.” FERC gave NERC 90 days to explain how NERC evaluates the need to develop, approve, and post a guideline; how NERC assesses the effectiveness of the guideline in addressing risks; and how often NERC should evaluate whether components of the guidance should become reliability standards.

NERC May Retire 10 Reliability Standards—but Add Several More

In a separate action on Thursday, meanwhile, FERC issued a notice of proposed rulemaking to retire 74 of 77 non-critical infrastructure protection reliability standards requirements identified by NERC under its 2017-initiated Standards Efficiency Review Project. NERC said, (and FERC mostly agreed) that the requirements provided little to no reliability benefit; were administrative in nature, or related expressly to commercial or business practices; or were redundant with other reliability standards.

If retired as proposed the 74 requirements will result in the elimination of 10 reliability standards and the creation of modified versions of another seven reliability standards, FERC said. The 10 standards are: Reliability Standards FAC-013-2 (Assessment of Transfer Capability for the Near-term Transmission Planning Horizon), INT-004-3.1 (Dynamic Transfers), INT-010-2.1 (Interchange Initiation and Modification for Reliability), MOD-001-1a (Available Transmission System Capability), MOD-004-1 (Capacity Benefit Margin), MOD-008-1 (Transmission Reliability Margin Calculation Methodology), MOD-020-0 (Providing Interruptible Demands and Direct Control Load Management Data to System Operations and Reliability Coordinators), MOD-028-2 (Area Interchange Methodology), MOD-029-2a (Rated System Path Methodology), and MOD-030-3 (Flowgate Methodology).

However, FERC specifically declined to approve retirement of Reliability Standard VAR-001-6 Requirement R2 “because it is the only requirement that explicitly requires transmission operators to schedule reactive resources.” It also asked for more information on two other requirements—FAC-008-3 Requirements R7 and R8—suggesting those requirements “may not completely be covered by other Reliability Standards.” Those requirements, specifically, require that generators provide facility ratings to regional entities, and that transmission owners provide facility ratings and the identity of “limiting equipment” at facilities to regional entities.

FERC Approves New Reliability  Standards for Transmission Planning and Cybersecurity

Finally, on Thursday FERC issued two final rules approving TPL-001-5 (Transmission System Planning Performance Requirements) and CIP-012-1 (Cyber Security – Communications between Control Centers).

TPL-001-5 (Transmission System Planning Performance Requirements).  This standard establishes transmission system planning performance requirements within the “planning horizon” to develop a bulk power system that operates over a “broad spectrum of system conditions,” and will withstand a “wide range of probable contingencies.” Essentially, it will require every planning coordinator and transmission planner to perform annual planning assessments of their portion of the system considering a number of system conditions and contingencies, using a risk-based approach.

The standard is expected to affect 214 planning coordinators and transmission planners, including “small entities,” which will need to bear “one-time costs” of about $1,980 to implement the standard.

As NERC noted, the standard was necessary after a 2009 report found that three significant system disturbances between 2004 and 2009 were each caused by the failure of a single component of a protection system. Five years later, after collecting data from transmission planners to assess protection system single points of failure, NERC moved to modify the 2015-adopted TPL-001-4 to implement recommendations from the study, and planned maintenance outages and stability analysis for spare equipment strategies.

In its final order, however, FERC declined to pursue proposals that it would be reasonable to address single points of failure in combination with three-phase faults as “extreme events” without requiring corrective action plans. “Although the Commission previously noted that there is an average of approximately one three-phase fault event every three months since 2011, only ten indicated instances of a protection system single point of failure, which we agree is a rare occurrence,” it reasoned.

CIP-012-1 (Cyber Security – Communications between Control Centers). This standard essentially serves to protect the confidentiality and integrity of real-time assessment and real-time monitoring data transmitted between Control Centers. NERC filed the standard in response to a FERC 2016–issued Order 822.

As the federal regulatory agency noted, the new standard improves on the 11 existing critical infrastructure protection (CIP) standards by “supporting situational awareness and reliable bulk electric system operations.” However, in its new order, FERC went further and directed NERC to develop and submit modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system control centers. FERC, however, declined to adopt a directive proposed in Order 822 for NERC to develop modifications to the CIP Reliability Standards to identify the types of data that must be protected under Reliability Standard CIP-012-1. FERC reasoned that comments filed in response to the proposed rule convinced it that further clarification is not necessary.

The new standard will affect 719 entities, including reliability coordinators, generator operators and owners, transmission operators, balancing authorities, and transmission owners. FERC estimated that about 82% of the affected parties are “small entities” that will incur a total cost in the first year of compliance of $49,067 (half of which will be for paperwork alone). In the second and third years, annual paperwork costs will drop to $7,594, FERC said.

Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine)

SHARE this article