Plausible Deniability Rather Than Pragmatic Solutions the Signature of NERC CIP
By Mike T Swearingen – Originally published on LinkedIn
The Federal Energy Regulatory Commission Inquiries on the Effectiveness of the North American Electric Reliability Standard CIP -014-3
In light of recent physical attacks on the nation’s electric grid facilities being brought to the forefront by the media and Cyber threats to the electric grid from Russian and China resulted in a March 23, 2023 hearing by the Senate Committee on Energy and Natural Resources, physical security of the electric grid facilities is considered a new phenomenon. However, for those who have worked within the utility industry, these physical attacks are more common than you may think. The response would naturally be why these incidents over the years have not been reported in the same manner as the recent reports. The simple answer would be the change concerning the physical and cyber security of the electric grid has become more of a political issue due to the increasing importance of the electric grids relation to the ever-increasing critical loads served and the current green energy push. Another answer would be the acknowledged need to more accurately report grid cyber and physical incidents. Further, if one was to examine the reliability indexes reported to the U.S. Energy Information Administration (EIA) and calculate the Average Availability of Service Index (ASAI), an index that provides the percentage of time service is available to consumers, using the EIA information the numbers would reveal pockets within the U.S. where the ASAI percentage is decreasing which is an indication of the increased stress being placed on the electric grid. Given this information it is understandable why the order was issued by the Federal Energy Regulatory Commission (FERC)
On December 15, 2022, the Commission issued Order RD23-2-00 directing the North American Electric Reliability Corporation (NERC) to review CIP-014-3 effectiveness in light of recent physical attacks to electric grid facilities. In the Order, the Commission set forth the following requirements to be reviewed.
(1) the adequacy of the Applicability criteria set forth in the Physical Security Reliability Standard CIP-014-3 (Physical Security Reliability Standard)
(2) the required risk assessment set forth in the Physical Security Reliability Standard
(3) whether a minimum level of physical security protections should be required for all Bulk-Power System transmission stations and substations and primary control centers
On April 14, 2023, NERC issued a report Evaluation of the Physical Security Reliability Standard and Physical Security Attacks to the Bulk-Power System in response to the Commission’s Request. The report was intended to answer the questions of the Commission but when reviewed the report reveals less pragmatic and effective solutions and reads more like a legal defense of NERC’s current approach and measures. Ironically, the recent physical attacks were on distribution substations that would not be covered by the Order.
NERC CIP-014-3 Standard Exclusivity and the Dangers it Creates
Physical attacks against electric grid infrastructure have occurred for many years causing costly damage and small and even large-scale outages. The question is why the concern now. One of the major arguments is that physical attacks have increased rapidly in recent years but if you were to look at the industry over the past 30-40 years, you would see that physical attacks have occurred on the same scale during that time. Has the grid become more important than it was in the past? The answer would be yes. Due to the advancement of technology and its dependence on the electric grid and the push for green energy the grid has come to the forefront of critical infrastructure of the nation.
It is important to note that NERC operates two sets of standards in the form of operational standards and cyber security and physical standards. The operational standards are based on industry practices of operating the grid over the past 60 years and have their foundation in the electrical properties and physics of electric grid operation. The operational standards have worked well in the operation of the electric grid. Granted changes are made to improve the operational standards due to new and advancing technologies introduced to the electric grid.
In recent years NERC was called upon to develop standards to secure electric grid facilities in the form of the Critical Infrastructure Protection (CIP) standards. The intention of the CIP Standards to protect the electric grid from cyber and physical attacks seemed like a necessary focus to ensure grid reliability and sustainability. However, the issues became apparent when the parameters of the standards excluded the majority of the electric grid infrastructure. This exclusionary practice in the development of the CIP Standards created inherent vulnerabilities that would lead to disruptions in the electric grid.
In the report submitted by NERC on April 14, 2023, the report states that the purpose of CIP-0014-3 is to “identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in instability, uncontrolled separation, or Cascading within an Interconnection”.
The CIP Standard CIP-014-3 is the criteria for the physical security of the electric grid and its critical facilities. When examined the exclusionary nature of the criteria becomes readily apparent. In CIP-014-3 the definition of the facilities covered by the standard is determined by the voltage, above 200kV, and a weighted aggregation of the facilities served by a transmission facility. The argument in support of CIP-014-3 is that the transmission facilities aggregated weight as defined by the standard includes the facilities served. However, this approach focuses on dealing with the transmission facilities without a more refined focus on the facilities connected to it. This causes issues that CIP-014-3 tries to avoid in reducing the risk of large outages due to cascading within the system. An example of the shortfalls within in the standard is one of many I encountered within my long career and a power system engineer.
In this particular case, which occurred 22 years ago, a substation encountered a failure in the 115kV circuit switcher on the source side of the distribution substation. The 115kV circuit switcher failed to operate and remained closed allowing a fault to travel upline to a transmission interchange causing a large outage. It was determined upon examination that the level of the SF6 arc extinguishing medium was at a level where the circuit switcher did not operate in relation to the ambient temperature at the substation. For those who have worked with circuit switchers the device will not operate if the amount of SF6 in relation to temperature is outside the requirements defined by the manufacturer. The question at first became why the utility was not aware of this condition? At the time the utility did its substation inspection, which is a practice for some utilities, the level of SF6 within the circuit switcher fell within the manufacturer’s table of acceptable levels. However, after an inspection it was determined there was a slow leak from the device that occurred between the inspection and when the fault occurred. The cause of the leak was never determined but this is an example of distribution facilities that can cause major outages. This particular substation would be outside the scope of CIP-014-3. It should be noted that this particular substation was interconnected with a looped transmission system. The reason the outage did not cover a larger area was due to a segment of the transmission loop being open at the time. The fact that a segment of the transmission loop was open when it normally operates closed exposes another flaw in the CIP-014-3 requirements since it shows that substations are fed from multiple sources. A condition that is more common than one would think. As a result, the aggregated weight principle for transmission facilities is not sufficient. This is just one of many examples I have seen throughout my career and an example many engineers could relate to.
How CIP-002-5.1a Confines the Requirements of CIP-014-3
While CIP-014-3 has flaws that require changes, CIP-002-5.1 aggregates the problem in the definition of the Bulk Electric System (BES). In CIP-002-5.1a the requirements define BES facilities by underfrequency automatic load shedding (UFLS), undervoltage automatic load shedding (UVLS) of 300 MW or more, the use of Special Protection System (SPS) and Blackstart resources. These requirements exclude a majority of facilities within the electric grid that would be considered as critical infrastructure by Regional Transmission Organizations (RTO), Independent System Operators (ISO) and utilities. This infrastructure that is excluded from the scope of CIP-002-5.1 is contained in the engineering models of RTO’s, ISO’s and utilities due to how the critical infrastructures function within the system. The reason these facilities are included in the engineering models, would be excluded by CIP-002-5.1a, is because they are a necessary component of the system when evaluating system operation for planning, load flows, protection and the interconnection of new transmission facilities.
When connecting new generation facilities, including renewable energy, the potential interconnection of these facilities must be evaluated in engineering models to determine their impact on the electric grid. In addition, to determine the effect of the generation interconnection not only on a utilities system engineering modeling is required to include the modeling of other interconnected systems. In many cases the inclusion of up-to-date engineering system models of other interconnected facilities requires a request to obtain those models through a Critical Electric Infrastructure Information (CEII) request.
This leads to the question of why CIP-002-5.1a is so exclusionary in its nature. One argument could be made that if you limit the scope of the standard there is a smaller set of facilities you are responsible for. Including all infrastructure would be considered too much of a leviathan for standard enforcement but being exclusionary presents similar reliability problems because of what is ignored.
The Need for New Solutions to CIP-002-5.1a and CIP-014-3
Based on the current scope of CIP-002-5.1a and CIP-014-3 the grid will face large scale outages due to unrecognized critical facilities. Based on the NERC Report to FERC it appears these issues will remain unresolved.
NERC made the following statement:
NERC acknowledges, however, that supplementary data could show that additional substation configurations would warrant assessment under CIP-014. Accordingly, NERC plans to continue evaluating the adequacy of the Applicability criteria in meeting the objective of CIP-014. Following issuance of this report, NERC will work with FERC staff to hold a technical conference to, among other things, identify the type of substation configurations that should be studied to determine whether any additional substations should be included in the Applicability criteria. The technical conference would also help establish data needs for conducting those studies.
This would seem to be a reasonable statement, but on further scrutiny of the statement made by NERC it can be noted that NERC’s evaluation of the adequacy of the applicability criteria within CIP-014-3 would be done in cooperation with FERC staff. While satisfying the requirements of the Commission and its staff is important, NERC should not exclude the input of the industry, especially the input of engineers, technicians and operators of the electric grid.
The report further stated the following:
Clarify the risk assessment methods for studying instability, uncontrolled separation, and Cascading; such as the expectations of dynamic studies to evaluate for instability.
Clarify the case(s) used for the assessment to be tailored to the Requirement R1 in-service window and correct any discrepancies between the study period, frequency of study, and the base case a TO uses.
Clarify the documentation, posting, and usage of known criteria to identify instability, uncontrolled separation, or Cascading as part of the risk assessment. The criteria should also include defining “inoperable” or “damaged” substations such that the intent of the risk assessment is clear.
Clarify the risk assessment to account for adjacent substations of differing ownership, and substations within line-of-sight to each other.
Finally, while NERC is not recommending an expansion of the CIP-014 Applicability criteria at this time, NERC finds that, given the increase in physical security attacks on BPS substations, there is a need to evaluate additional reliability, resiliency, and security measures designed to mitigate the risks associated with those physical security attacks.
It is important for the Commission and NERC to redefine the criteria of CIP-002-5.1a and CIP-014-3 by developing criteria for critical infrastructure that is defined by the RTO’s, ISO’s and utilities models which would provide a more accurate account of critical infrastructure. This would provide the Commission and NERC with already established engineering models that could be available for review upon request in any timeline they would consider prudent. However as stated in their report, they are not recommending “an expansion of the CIP-014 Applicability criteria at this time”. It seems with all the content contained in the 31-page report submitted by NERC the main takeaway would be that NERC is open to tabletop discussions of potential measures but is currently satisfied with the status quo.
This report, as it stands, is concerning as it continues to allow a vacuum in security that exists through the scope and exclusionary method of standards as currently enforced. Should this trend continue concerning electric grid security and the stress on the grid growing due to the aggressive expansion of green energy without comparable expansion in grid facilities, the nation will be facing a less reliable electric grid and more large-scale outages more frequently.