Obviously, the NERC Reliability Standards (Standards) were developed with the intent of improving reliability of the Bulk Electric System (BES), but how does that directly translate to actual improved performance and reliability of the Facilities that make up the BES? As a Senior Auditor at NERC, I fielded this question multiple times. There is no easy answer. True, the intent of the Standards is to increase reliability. While there is no data to support the idea that the Standards are responsible for increased reliability of the BES, they do provide a rigid set of requirements that, if complied with correctly, absolute increase reliability. At the very least, they decrease the likelihood of diminished reliability of the BES. In addition to this very valuable benefit of compliance with the Standards, the motivation for many to comply with them also includes hedging against potential findings of non-compliance, and the dreaded fines that may be associated with instances of violations. With that being said, let’s take a look at some of the Standards that seem to be violated more than others.

Most violated Standards (and the associated risks)

Last year, CIP-007, CIP-010, and CIP-005 were the three of the most violated Standards, which begs the question, why are we, as an industry, having so many issues with these Standards? The easy answer is we are part of an industry that, for decades, has been focused on one mission - to generate, transmit, and distribute electricity. The added expertise needed for cyber and physical security isn’t something that has always been a fixture in our industry. The violation numbers suggest that more work is needed with compliance efforts for CIP Standards. What’s the risk? Well, there’s the risk of unwanted intrusions into our Facilities, our networks, our SCADA or EMS systems, etc. There’s no shortage of threat actors who would seize an opportunity to cause negative impacts on the BES; CIP Standards are designed to make it very difficult for that to happen. The CIP Standards have undergone more overall versions than the Operations and Planning Standards, signaling the fact that these requirements are changing to try and keep up with the ever-present cyber and physical threats. In simplistic terms, bad actors need only be successful once, while we must be successful every time there’s an attempted breach of security. The extent of damage could quickly move beyond one Facility to impact the entire system, which is why these Standards must be at the forefront of everyone’s compliance efforts.

In addition to the CIP Standards mentioned above, the list of O&P Standards that were violated most in 2021 include PRC-005, FAC-003, EOP-008, and PER-003. These particular Standards address protection system and relay maintenance, vegetation management, loss of control center functionality, and operating personnel credentials. These Standards and their associated requirements deal with very tangible issues that we must master in order to maintain a reliable BES. It’s not too difficult to understand how maintaining lines and relays, ensuring the control center is functional, and training operations personnel are essential to maintaining a functioning, reliable system. 

The real question is why are these Standards finding their way on the list? Many times, there are missed deadlines for certain maintenance activities (such as battery testing in a substation control house, or not keeping accurate training records). There are also occasions where it is found that a registered entity has incorrect relay settings, or there has been no inspection or maintenance of transmission lines, which can lead to devastating and expensive events for the local system – and potentially for the BES. As any good statistician will say, an increase in small, seemingly insignificant issues will eventually result in larger and more intense problems, should they go unchecked. Many of these violations were found during an audit or Spot Check. This leads me to the next point: catching these vulnerabilities or violations before they become a larger problem.

It is much better to identify these issues through a robust internal controls and program improvement effort that leads to self-reporting violations, rather than to be caught unaware during an audit. Yet, even in the case of uncovering a violation during an audit, there are mitigation efforts that are triggered to ensure the issue is properly resolved, and steps that are taken to ensure the issue will not continue in the future. This view on audits, although anxiety provoking, is a good way to correct issues that have the potential to wreak havoc on the BES. It is always better to identify and correct any potential issues through self-reporting, than to have an Auditor find the instance of non-compliance. On the flip side, the benefits of identifying these possible pitfalls far outweigh the approach of doing the bare minimum and hoping the Audit team doesn’t find any violations.

Building a culture of compliance

When taking a deep dive into a NERC compliance program, we inadvertently take a long look at the operations and planning departments and processes, leading to more reliable and compliant operations. By conducting an analysis to ensure any gaps in compliance are identified, an entity can greatly reduce the potential for greater fines, while increasing reliability. If, while already working to remedy the issue and develop a mitigation plan, an entity self-reports a violation, NERC and the Regional Entities view this as an indicator of a strong compliance program and a healthy culture of compliance.

Compliance staff partnerships with business units

There once was a common view of compliance personnel as people who make a job more difficult by enforcing regulatory requirements, while business units are just trying to do their jobs. Over the past decade or so, that paradigm has shifted in many entities, leading to a better partnership between operations and planning personnel and the compliance staff. Compliance should be viewed as a mechanism by which we improve processes and programs, becoming more efficient and reliable as a result. At many ISOs, transmission entities, and other utilities, the compliance department is now comprised of former System Operators, Analysts, and Engineers from the business units, which leads to a better understanding of how the work is being completed and how that complies (or doesn’t quite comply) with the Standards. By cultivating this partnership between ops and planning staff and compliance personnel, and achieving buy-in from all involved, there is a greater likelihood that mistakes will be caught and corrected, leading to an increase in reliability.  

A Good Culture of Compliance is a Great Compliment to Existing Operations and Planning Departments

In our usual operations and planning duties, it is important to take the occasion to remember why we’re doing what we do. In order to keep supply and demand properly balanced at 60Hz, ensure all load is served, and maintain the systems, equipment, and facilities that make this possible, we need a framework of requirements to ensure there are no gaps in reliable operations. The NERC Reliability Standards are developed to do just that. By using industry volunteers to draft the Standards, we have a voice in the NERC process. This means that, using our best people to engage in the compliance process at the NERC and RE levels, we can help ensure that the Standards are being written well and will accurately address the issue the Standard is trying to resolve. In closing, it is very important that our industry stay on top of developments at NERC, including project meetings, steering committees, upcoming standards, and engage our best people in the compliance processes. By doing so, we will be better represented, and the reliability of the BES will remain high in the years to come.

JC Culberson is Director of NERC and Regulatory Compliance at Electric Power Engineers, Inc. He boasts a wealth of experience in the areas of NERC and regulatory compliance, transmission operations, RTO/ISO operations and planning, and ERO operations, with extensive NERC compliance consulting expertise related to the Transmission Operator, Reliability Coordinator, Balancing Authority, Transmission Owner, Transmission Planner, Generator Owner, and Generator Operator functional entities. JC has managed and led numerous compliance and operations departments in the energy industry, with a record of successful implementation of compliance processes and operations for these entities. Additionally, JC possesses a great deal of experience in ISO/RTO operations, training, and situational awareness. JC is fluent in English, and moderately fluent in the Arabic language.

Electric Power Engineers | epeconsulting.com