The North American Electric Reliability Corporation (NERC) has asked the Federal Energy Regulatory Commission (FERC) to delay the implementation of seven reliability standards that relate to cybersecurity, training, disturbance monitoring and reporting, generator relay loadability, and coordination of protection systems for performance during faults.
In an April 6 filing to FERC, NERC noted the rules were scheduled to become effective later this year, but, as NERC noted, their implementation could be hampered by “significant uncertainties” regarding the duration of the COVID-19 outbreak and recovery.
Significantly, NERC also noted it is exercising its enforcement discretion with respect to other currently effective reliability standards. It also said it would consider the COVID-19 pandemic an “extenuating circumstance” under its Sanction Guidelines for all noncompliance “where the impacts of the coronavirus outbreak, such as on workforce availability or supply chain resources, were a cause or contributing factor to the noncompliance.”
It is unclear when FERC could act on the motion, but, over the past week, NERC’s instant motion has been publicly supported by every RTO/ISO as well as major trade groups representing the nation’s investor-owned, public power, and electric cooperatives. However, at least one group has pushed back against the measure, saying a “blanket extension” for the seven reliability standards may not be justified or is necessarily in the public interest.
Proposed Deferment of NERC Standards
As of April 6, NERC’s standards and timeframe for deferred implementation include (a list of all NERC standards are here:)
- CIP-005-6 – Cyber Security – Electronic Security Perimeter(s), by three months; new proposed effective date: Oct. 1, 2020.
- CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments, by three months; new proposed effective date: Oct. 1, 2020.
- CIP-013-1 – Cyber Security – Supply Chain Risk Management, by three months; new proposed effective date: Oct. 1, 2020.
These standards, which FERC approved in 2018, would require entities to develop and implement supply chain cybersecurity risk management plans and implement new controls, but NERC said the pandemic could affect supply chain and prompt personnel disruptions. As POWER reported in 2018, according to NERC’s Compliance Registry, more than 1,250 unique U.S. entities must comply with its growing list of CIP reliability standards. Of these entities, about 288 will face “an increased paperwork burden” owing to the three new CIP standards. The reporting burden may be steep: the average response could require 546 hours and $44,226. In total, FERC anticipates compliance with the rule could cost the industry about $13 million.
- PER-006-1 – Specific Training for Personnel, by six months; new proposed effective date for the U.S.: April 1, 2021.
- PRC-027-1 – Coordination of Protection Systems for Performance During Faults, by six months, new proposed effective date: April 1, 2021.
These standards, developed to replace currently effective standards, would have required power companies to develop and implement generator plant staff training programs, and integrate the functions and limitations of protection systems and action schemes into their operational planning analyses and real-time assessments. Generators are already in the process of scheduling and providing required training to meet the still effective (until FERC approves NERC’s measure, at least) date of Oct. 1, 2020.
- PRC-002-2 – Disturbance Monitoring and Reporting Requirements (phased-in implementation for Requirements R2-R4 and R6-R11), by six months, new proposed effective date: Jan. 1, 2021.
This standard, which became effective in the U.S. in July 2016, seeks to reduce bulk electric system (BES) disruptions by providing NERC with more data to help with deeper analysis. As currently scheduled, registered entities are required to demonstrate 50% compliance with several requirements (Requirements R2-R4 and R6-R11) in the standard by July 1. Under NERC’s April 6 motion, entities would a six-month deferment to meet the 50% compliance requirement, but they would still need to meet the full compliance deadline by July 2022, as originally required.
- PRC-025-2 – Generator Relay Loadability (phased-in implementation for Requirement R1, Attachment 1, Table 1 Relay Loadability Evaluation Criteria Options 5b, 14b, 15b, 16b), by six months; new proposed effective date: Jan. 1, 2021.
This standard, which became effective in 2018, would set load-responsive protective relays associated with generation facilities at a level to prevent unnecessary tripping of generators during a system disturbance for conditions that do not pose a risk of damage to the associated equipment. Entities are required to demonstrate compliance with some aspects of the rule by July 1, 2020, but because NERC recognized that owing to COVID-19, some entities may not be able to complete the resource-intensive work by the deadline, NERC wants to give them six more months. However, the remaining phased-in implementation dates would remain unchanged.
In a filing on April 7, the ISO/RTO Council, whose members include all North American RTOs/ISOs—including AESO, CAISO, ERCOT, IESO, ISO-NE, MISO, NYISO, PJM, and SPP—lauded NERC’s motion. The council said its members were need to “expend significant effort and resources in the coming months” to ensure compliance, but it that the added flexibility would allow them to “focus their immediate efforts and resources on maintaining the safety of their workforces and communities, and maintaining the reliability and security of the grid during the COVID-19 emergency.”
The Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, and the Large Public Power Council, agreed in a joint response filed on April 9. The group’s members “have been and continue to be appropriately focused on protecting the health and safety of their employees, who are responsible for maintaining reliable and secure grid operations, during the COVID-19 emergency. Considering the unknown duration of the COVID-19 pandemic, Joint Associations appreciate NERC’s proactive stance to support reliable and secure grid operations,” they said.
Along with noting that electric utilities have reprioritized work duties for essential personnel to respond to the pandemic, they are also preparing for “potentially high rates of absenteeism” as staff become ill or need to care of sick facility members. An issue power companies face in relation to the supply chain cybersecurity risk management plans and new supply chain controls, for example, is that supply professionals “who have been focused on the implementation of the new and revised CIP Reliability Standards, have been shifted to fulfill critical supply chain activities supporting the health of electric utility employees as they perform critical day-to-day operations.”
These professionals are also working to stay aware of potential issues and respond to other COVID-19–related issues across businesses related to availability of contracted personnel and materials. Meanwhile, vendors who provide products and services necessary for compliance, have also reprioritized their work duties, which has prompted some delays in negotiation and execution of CIP-related contracts.
However, Protect Our Power, which describes itself as an “independent, not-for-profit advocacy group, was formed in 2016 with a single purpose of improving the U.S. electric grid’s resilience to attacks,” noted in the only cautionary response so far that the 90-day delay in the implementation of the supply chain cybersecurity standard may “not be in the public interest.” The threat posed by cybersecurity concerns is widespread and insidious, they suggested, noting: “It is undeniable that the risk that foreign governments, rogue agents and hackers pose to the electric grid, and to the supply chain for the grid, is a crisis unto itself.”
Protect Our Power has repeatedly warned about cyber-related vulnerabilities in the electric sector supply chain. In February, it published a report identifying major gaps in the sector’s supply chain, including that the sector still has “no manufacturing standards; no product testing; no certification process; and no agreement on who would even bestow a ‘seal of approval.’ “
The group asked NERC to consider a 30-day delay to implement CIP-013-1, Cyber Security Supply Chain Risk Management, rather than the 90-day delay requested by NERC. “This approach would acknowledge the time lost by utilities due to the coronavirus pandemic, and effectively give that time back to them, but otherwise require the industry to continue to treat the supply chain security issue with the importance and seriousness it deserves.
“This would also prevent us from having one crisis, the pandemic, unnecessarily cause us to lose focus and a sense of urgency about another crisis, supply chain risk,” it said.