2019 MRO Regional Risk Assessment - January 8, 2019 - Midwest Reliability Organization
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2019 MRO Regional
Risk Assessment
January 8, 2019
Table of Contents
1. PREFACE................................................................................................................................................. 4
2. ERO RISK ELEMENTS ........................................................................................................................... 5
Regional Risk Elements .................................................................................................................. 10
3. 2019 MRO REGIONAL RISK ASSESSMENT ...................................................................................... 10
System Performance Assessments ................................................................................................ 10
Misoperations.................................................................................................................................................10
Regional Event Analysis ................................................................................................................................13
Requirements with High Risk Violations ......................................................................................... 15
MRO Region Risks to Security ....................................................................................................... 16
Spear-phishing ...............................................................................................................................................17
Risks to Smaller Utilities ................................................................................................................................17
Supply Chain Issues ......................................................................................................................................17
Regional/Centralized Security Operations Center .........................................................................................17
Compliance Fatigue .......................................................................................................................................17
ICCP Security ................................................................................................................................................18
Unmanned Aerial Systems ............................................................................................................................18
Environmental Activism..................................................................................................................................18
IT/OT Convergence .......................................................................................................................................18
Changing Threat Landscape..........................................................................................................................19
Communications ............................................................................................................................................19
Threat of Insiders ...........................................................................................................................................19
Physical Security............................................................................................................................................19
MRO Region Risks to Operations and Planning ............................................................................ 19
Remedial Action Schemes .............................................................................................................................19
Market Participation .......................................................................................................................................20
Vegetation Management ................................................................................................................................20
Changing Resource Mix.................................................................................................................................21
Regional Natural Hazard Assessment ...........................................................................................................23
Complex Ownership and Interconnections ....................................................................................................24
Interconnection Reliability Operating Limits (IROL) .......................................................................................24
Critical Communication Circuit Sunset...........................................................................................................25
New High Risk Reliability Standards and Requirements ............................................................... 25
FAC, TOP, and IRO Operating Limits Reliability Standards ..........................................................................25
Reliability Standards Enforceable in 2018 .....................................................................................................26
Geomagnetic Disturbance (GMD) Reliability Standards EOP-010-1 and TPL-007-1 ....................................26
2Model Data Reliability Standards ...................................................................................................................27
Planning Standard TPL-001-4 .......................................................................................................................28
4. MRO PERFORMANCE AREAS ............................................................................................................ 29
Alignment of 2019 MRO Performance Areas and ERO Risk Elements ......................................... 34
5. CONCLUSION ....................................................................................................................................... 36
32019 MRO Regional Risk Assessment PREFACE
1. PREFACE
Midwest Reliability Organization (MRO) is dedicated to its vision of a highly reliable and secure North
American bulk power system. To ensure reliability of the bulk power system (BPS) in the United States,
Congress passed the Energy Policy Act of 2005, creating a new regulatory organization called the Electric
Reliability Organization (ERO) to establish mandatory Reliability Standards and monitor and enforce
compliance with those standards on those who own, operate or use the interconnected power grid.
In 2006, the Federal Energy Regulatory Commission (FERC) approved the
North American Electric Reliability Corporation (NERC) as the ERO under
section 215(e)(4) of the Federal Power Act. NERC delegates its authority to
monitor and enforce compliance to seven Regional Entities established
across North America, including MRO. Recognizing the international
nature of the grid, NERC as the ERO, along with MRO, established similar
arrangements with provincial authorities in Canada.
The MRO region spans the provinces of Saskatchewan and
Manitoba, and all or parts of the states of Arkansas, Illinois, Iowa,
Kansas, Louisiana, Michigan, Minnesota, Missouri, Montana,
Nebraska, New Mexico, North Dakota, Oklahoma, South Dakota,
Texas, and Wisconsin. The region is comprised of almost 200
organizations that are involved in the production and delivery of
electricity, including municipal utilities, cooperatives, investor-owned
utilities, transmission system operators, federal power marketing
agencies, Canadian Crown Corporations, and independent power
producers.
MRO's primary responsibilities are to: ensure compliance with
mandatory Reliability Standards by entities who own, operate, or
use the bulk power system; conduct assessments of the grid's
ability to meet electricity demand in the region; and analyze regional
system events. Additionally, MRO creates an open forum for stakeholder
experts in the region to discuss important topics related to addressing risk
and improving reliable operations of the BPS.
42019 MRO Regional Risk Assessment ERO RISK ELEMENTS
2. ERO RISK ELEMENTS
As part of its 2019 ERO Enterprise Compliance Monitoring and Enforcement Program (CMEP)
Implementation Plan (IP), NERC establishes the ERO Risk Elements that it uses to identify and
prioritize interconnection and continent-wide risks to the reliability of the BPS. To support the CMEP
IP, the MRO Regional Risk Assessment (MRO RRA) is an annual report that evaluates the ERO
Risk Elements and also identifies risks specific to MRO entities and the MRO footprint that could
potentially impact the reliable and secure operations of the BPS.
The 2019 ERO Risk Elements are:
Improper Management of Employee and Insider Access;
Insufficient Long-Term Planning Due to Inadequate Models;
Insufficient Operational Planning Due to Inadequate Models;
Spare Equipment with Extended Lead Time;
Inadequate Real-time Analysis During Tool and Data Outages;
Improper Determination of Misoperations;
Inhibited Ability to Ride Through Events; and
Gaps in Program Execution
The following 2019 ERO Risk Elements, along with the accompanying risk element description, are
posted in the 2019 CMEP IP.1 The 2019 ERO Risk Elements, developed by NERC, are provided
herein for review and consideration because they were utilized in the development of the 2019 MRO
RRA:
Improper Management of Employee and Insider Access
The protection of critical infrastructure remains an area of significant importance. This risk
element establishes a focus on the human element of security, one of the descriptors of
cybersecurity vulnerabilities identified in the 2018 RISC report.2 Regardless of the
sophistication of a security system, there is potential for human error. Compliance monitoring
should seek to understand how entities manage the risk of how many people have access
and the complexity of the tasks the people are asked to perform. If security has increased
the difficulty in performing personnel’s normal tasks, personnel will look for ways to
circumvent the security to make it easier to perform their job. On the other hand, when
complex tasks are replaced with automation, focus should be on whether the learning curve
of setting up the automation correctly was mitigated.
Harvesting credentials and exploiting physical and logical access of authorized users of Bulk
Electric System (BES) facilities and Cyber Systems (BCSs) pose a major risk to systems that
are used to monitor and control the BPS. This risk is particularly enhanced due to the fact
that the target here is privileged and non-privileged users who have authorized unescorted
access who has unprecedented level of access to critical aspects of BES. By actively and
12019 CMEP IP
2 ERO Reliability Risk Priorities; February 2018
52019 MRO Regional Risk Assessment ERO RISK ELEMENTS
covertly employing social engineering techniques and phishing authorized users can be
tricked to harvest credentials and gain access.3
Improper access of employees can lead to BCSs being compromised and is a major risk to
systems that are used to monitor and control the BPS. Based on the results of NERC’s
Remote Access Study, many systems used to operate the BES rely on remote access
technologies. Remote access refers to the ability to access a system, application, or data
from a remote location. Remote access can take one of two forms: 1) human or user-initiated
remote access, referred to as Interactive Remote Access in NERC’s CIP Reliability
Standards; or 2) automated system-to-system access. Registered entities frequently use
Interactive Remote Access technologies to enable remote users to operate, support, and
maintain control systems networks and other BES Cyber Systems. Among other things,
providing for remote access enables users to efficiently access Cyber Assets to troubleshoot
application software issues and repair data and modeling problems that cause application
errors. These remote access technologies–while important for efficiently operating,
supporting, and maintaining Cyber Assets, including those for control systems–could open
up attack vectors. If not properly secured, remote access could result in unauthorized access
to a registered entity’s network and control systems with potentially serious consequences.
For instance, an attacker could breach an environment via remote access by deliberately
compromising security controls to obtain privileged access to critical systems. Although
registered entities generally do not rely on Internet-facing systems to operate and monitor
the BES, malicious actors have demonstrated capabilities to infiltrate systems that are not
Internet-facing, such as systems designed to run autonomously with minimal human
interaction and other mission-critical applications that are used to perform supervisory control
that, if misused, could result in serious reliability issues. Additionally, a compromised device
that is allowed to remotely access a Cyber Asset can serve as a gateway for cyber-criminals
to attack networks.
The identified area’s risks can be mitigated through awareness and technical controls.
Entities need to enhance security awareness to include specific topics on social engineering
and insider threat. By implementing detection and monitoring tools as technical controls
insider threat incidents can be prevented proactively. Further, a formalized insider threat
management program in place can vastly reduce the associated risk.
Insufficient Long-Term Planning Due to Inadequate Models
Planning and system analyses are performed for the integration and management of system
assets. This includes the analyses of other emerging system issues and trends (e.g.,
significant changes to the use of demand-side management programs, the integration of
inverter based resources and variable energy resources, changes in load characteristics,
increasing dependence on natural gas deliverability for gas-fired generation, increasing
uncertainty in nuclear generation retirements, and essential reliability services). NERC’s
annual Long-Term Reliability Assessment4 forms the basis of NERC’s assessment of
emerging reliability issues. The ERO continues to raise awareness on inverter-based
resource performance through NERC alerts5 and industry outreach. Compliance monitoring
3 US-CERT TA18-074A
4 NERC’s annual Long-Term Reliability Assessment
5 NERC alerts
62019 MRO Regional Risk Assessment ERO RISK ELEMENTS
should seek to understand how entities manage the risk of planning in this changing
environment.
Insufficient long-term planning can lead to increased risks to reliability. Adequately modeled
planning cases become increasingly critical as a changing resource mix, deployment of new
technologies, etc., affect the risk to BPS reliability. For instance, the models should reflect if
the power electronic controls of utility-scale inverter based resources, such as PV resources,
give these resources the ability to provide both Real and Reactive power. As stated in the
2018 RISC report,6 since the rate of change of the resource mix is increasing, planners will
place more emphasis on interconnection-wide studies that require improvement to and
integration of regional models. In addition, enhancements to models will be needed to
support probabilistic analysis to accommodate the energy limitations of resource additions
(such as variable renewable resources). Resource adequacy must look beyond the
calculation of reserve margins that assume actual capacity available during peak hours.
Insufficient Operational Planning Due to Inadequate Models
Insufficient operational planning can lead to increased risks to reliability. More
comprehensive dynamic load models will be needed to sufficiently incorporate behind-the-
meter generation and distributed load resources such as demand-side management
programs. One of the ways in which the industry can better understand the system is by
monitoring load characteristics and the changing nature of load due to DER. The NERC
Load Modeling Task Force developed a reliability guideline that provides Transmission
Planners (TPs) and Transmission Owners (TOs) with insights into end-use load behaviors
and how to capture them in the composition of dynamic load models.7
Additional studies have similarly shown a need to more accurately understand and model
inverter-based resource characteristics. NERC has identified adverse characteristics of
inverter-based resources in two separate Alerts.8 With the recent and expected increases of
both utility-scale solar resources and distributed generation, the causes of a sudden
reduction in power output from utility-scale power inverters needs to be widely
communicated and addressed by the industry. Entities with increasing inverter-based
resources should be aware and addressing this within their models.9
Spare Equipment with Extended Lead Time
As the BPS ages, less-than-adequate infrastructure maintenance is a reliability risk that
continues to grow. The RISC report identifies that the failure to maintain equipment is a
reliability risk exacerbated when an entity either does not have replacement components
available or cannot procure needed parts in a timely fashion. The failure to properly
commission, operate, maintain, prudently replace, and upgrade BPS assets generally could
result in more frequent and wider-spread outages, and these could be initiated or
exacerbated by equipment failures.
6 ERO Reliability Risk Priorities; February 2018
7 NERC Modeling Improvements Initiative Update; May 2018
8 Industry Recommendation: Loss of Solar Resources during Transmission Disturbances due to Inverter Settings;
June 2017 and Industry Recommendation: Loss of Solar Resources during Transmission Disturbances due to
Inverter Settings - II; May 2018
9 NERC Modeling Notification: Recommended Practices for Modeling Momentary Cessation Distribution; April 2018
72019 MRO Regional Risk Assessment ERO RISK ELEMENTS
Spare equipment strategy is an important aspect of restoration and recovery. The strategy
should encompass identifying critical spare equipment as part of a national or regional
inventory. The strategy should also account for the transportation and logistics requirements
for replacing critical assets. An improved spare equipment strategy or plan will lead to better
planning and possibly faster response times for restoration and recovery. A spare equipment
strategy can help strengthen the resiliency for responding to potential physical threats and
vulnerabilities.10
Inadequate Real-time Analysis during Tool and Data Outages
Without the right tools and data, operators may not make decisions that are appropriate to
ensure reliability for the given state of the system. NERC’s ERO Top Priority Reliability Risks
2014-2017 notes that “stale” data and lack of analysis capabilities contributed to the blackout
events in 2003 (“August 14, 2003 Blackout”) and 2011 (“Arizona-Southern California
Outages”). Certain essential functional capabilities must be in place with up-to-date
information available for staff to use on a regular basis to make informed decisions.
Specifically, entities are to be encouraged to have realistic plans to continue real-time
analysis during outages of tools, loss of data, or both. The 2018 RISC report11 identifies that
loss of situational awareness can be a precursor or contributor to a BPS event. This risk
element is made more important in situations where planning models may not keep pace
with increasing BPS complexity and accurately reflect area specific dependencies on
inverters, natural gas, or other items identified in the other 2019 risk element “Planning
Representing Area Specific Dependencies and Characteristics”. Forecasting BPS resource
requirements to meet customer demand is becoming increasingly difficult due to the
penetration of DER which can mask the customer’s electric energy use and the operating
characteristics of distributed resources without sufficient visibility.
Compliance monitoring should understand the plan and the capability and feasibility of the
entities skilled workforce to implement the plan within a reasonable time frame. Monitoring
should include a keen eye on events and the human evaluation rather than simply looking at
RTCA scans. RTCA is a tool to help achieve the intent of these requirements, but RTA is the
human evaluation of computer generated results. While the two are linked in this process,
simply having RTCA running in the background does not constitute an assessment of the
system.
Improper Determination of Misoperations
Protection systems are designed to remove equipment from service so the equipment will
not be damaged when a fault occurs. Protection systems that trip unnecessarily can
contribute significantly to the extent of an event. When protection systems are not
coordinated properly, the order of execution can result in either incorrect elements being
removed from service or more elements being removed than necessary. Such coordination
errors occurred in the Arizona-Southern California Outages (see recommendation 19),12 the
10CIP-014-2
Guidelines and Technical Basis, Requirement R5
11 ERO Reliability Risk Priorities; February 2018
12 Arizona-Southern California Outages on September 8, 2011
82019 MRO Regional Risk Assessment ERO RISK ELEMENTS
August 14, 2003 Blackout (see recommendation 21),13 and the Washington, D.C., Area Low-
Voltage Disturbance Event of April 7, 2015 (see recommendation 2).14
Furthermore, a protection system that does not trip–or is slow to trip–may lead to the
damage of equipment (which may result in degraded reliability for an extended period of
time), while a protection system that trips when it shouldn’t can remove important elements
of the power system from service at times when they are needed most. Unnecessary trips
can even start cascading failures as each successive trip can cause another protection
system to trip.
The 2018 RISC report15 includes a key point that the ERO Enterprise, the impacted
organizations, and the respective forums and trade organizations should perform post-event
reviews to capture lessons learned and how to reduce the impact of future events. These
reviews will be incomplete if not every event is noticed because the relay operations were
not reviewed by qualified personnel. The report also identifies the risk posed by the
increasing complexity in protection and control systems, further emphasizing the importance
of a skilled workforce analyzing events and relay operations.
Inhibited Ability to Ride through Events
Generating plant protection schemes and their settings should be coordinated with
transmission protection, control systems, and system conditions to minimize unnecessary
trips of generation during system disturbances.16
Increased implementation of inverter-base resources has brought a focus on this issue. The
ERO continues to raise awareness on inverter-based resource performance through NERC
alerts17 and industry outreach. Compliance monitoring should seek to understand how
entities manage the risk of resource availability in this changing environment.
Gaps in Program Execution
The ERO Enterprise has observed an increase in FAC-003 R2 violations resulting in
vegetation contacts. These violations result from vegetation management programs that
have less than adequate procedures to address identified problems or that fail to adapt to
changing conditions, e.g., increased precipitation that accelerates vegetation growth.18
Change management weaknesses have also led to significant violations related to Facility
Ratings and maintenance of Protection System devices. Some registered entities have
Facility Ratings based on inaccurate equipment inventories, or ratings are not being updated
during projects or following severe weather. Where records are not kept up to date,
inaccurate models and damaged equipment can result. Failing to keep accurate inventories
of equipment, following asset transfers, addition of new equipment, or mergers and
acquisitions, is also causing incomplete Protection System Maintenance and Testing
13 Final Report on the August 14, 2003 Blackout
14 Washington, D.C., Area Low-Voltage Disturbance Event of April 7, 2015
15 ERO Reliability Risk Priorities; February 2018
16 Considerations for Power Plant and Transmission System Protection Coordination, July 2015
17 NERC alerts
18 See Notices of Penalty filed May 31, 2018 in FERC Docket Nos. NP18-11-000, NP18-12-000, and NP18-13-000.
92019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Programs that jeopardize the functionality of the equipment to respond to faults or
disruptions on the electric system.
Regional Risk Elements
In order to ensure that the ERO Risk Elements and their associated areas of focus, as well as any
significant risks recognized by the MRO RRA, are addressed, MRO has developed Performance
Areas. Performance Areas organize requirements according to the activities performed by entities to
promote reliable and secure operations of the BPS. Using Performance Areas simplifies the process
of identifying those requirements that should be monitored in order to effectively address identified
risks. The 2019 MRO Performance Areas list is located at the end of this report and is available on
MRO’s website.19 Each Performance Area includes a description of the identified risk and a list of
associated requirements that address those risks.
MRO utilizes Performance Areas to address the risks identified in the ERO Risk Elements and the
MRO RRA, but has not identified any Regional Risk Elements.
3. 2019 MRO REGIONAL RISK ASSESSMENT
On July 1, 2018, the revised delegation agreement between Midwest Reliability Organization (MRO)
and the North American Electric Reliability Corporation (NERC) became effective, expanding MRO’s
regional boundaries to the southern half of the Midwest including all or parts of the states of
Arkansas, Kansas, Louisiana, Missouri, New Mexico, Oklahoma, and Texas. With this expanded
footprint, MRO now has oversight responsibility for much of central North America, including all or
part of 16 states and 2 Canadian provinces.
The following sections of this report highlight significant risks identified by MRO that could impact the
reliability of the BPS in the region and the ongoing work by MRO stakeholders to improve reliability,
security, and resiliency. It is important to note that risks identified in this report may apply to the
whole footprint or to specific localized areas. For risks associated with a particular entity, a more
granular review is performed by conducting the entity’s Inherent Risk Assessment (IRA). In addition,
some topics discussed in the RRA may include possible solutions or ways for an entity to mitigate
the identified risks. Other topics may include discussion on focused compliance monitoring efforts in
response to the risk, which also addresses the identified risk. However, not all risk topics addressed
in the MRO RRA will include mitigating solutions or discussions on focused compliance monitoring.
System Performance Assessments
Misoperations
Since 2012, NERC Event Analysis20 metrics have identified protection system misoperations as a
significant contributor to the severity of BPS events. In 2016, the MRO Protective Relay
Subcommittee (MRO PRS) published the Protection System Misoperations Phase I white paper.21
The white paper was part of the MRO PRS misoperation reduction project to support NERC’s goal of
reducing the rate of misoperations. The white paper, and subsequent MRO RRAs, analyzed the
misoperation modes of protection system schemes because a disproportionate share of
19
2019 MRO Performance Areas List
20 NERC Event Analysis
21 Protection System Misoperations Phase I white paper
102019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
misoperations within the Regional Entities occur in MRO. The white paper discussed approaches to
reduce the occurrence of those misoperations. Performance of overcurrent relays, directional current
blocking, and direct transfer trip schemes discussed in the Phase I whitepaper will continue to be
monitored and evaluated as more data becomes available.
While reducing the overall rate of misoperations will improve BPS reliability, the MRO PRS believes
it equally important to consider misoperation types that have greater impact on BPS reliability per
individual occurrence. Analysis of regional misoperations from 2010 through 2016 revealed that
misoperations associated with differential relays and with breaker failure relays had more severe
impact on BPS reliability than others. Those two high impact misoperation categories were the
subject of the MRO PRS Phase II22 white paper. A key takeaway from the Phase II white paper is
that a vast majority of misoperations could have been prevented with detailed commissioning and
testing practices by on-site personnel. While commissioning errors are not currently addressed by
the NERC Reliability Standards, the MRO PRS provided guidance on how to perform commissioning
to avoid these high impact misoperations. The 2018 NERC State of Reliability23 (SOR) reported a
continuation of the five-year trend of declining misoperation rates across North America, down from
8.8% in 2016 (Q4 2015 – Q3 2016) to 8.0% in 2017 (Q4 2016 – Q3 2017). The SOR
recommendations included Regional Entity outreach, education, and training to reduce protection
system misoperations, both in terms of rate and impact on the BPS, consistent with the work of the
MRO PRS.
MRO uses Figures 3.1.1 and 3.1.2 to trend misoperations in the region. Figure 3.1.1 indicates the
percent of misoperations per total number of operations dating back to 2013. Figure 3.1.2 is the total
number of misoperations reported to MRO since 2007. Note that the 2018 data has only been
collected through Q1. Analysis of misoperations of protection systems provides a valuable
opportunity to identify ways to improve the reliability of the BPS. Therefore, MRO has created the
Misoperation Analysis performance area to monitor risks associated with misoperations.
22
Protection System Misoperations Phase Il white paper
23
2018 NERC State of Reliability
112019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
FIGURE 3.1.1 MISOPERATION RATES
Figure 3.1.2 Total Misoperations (Through Q1 2018)
122019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Regional Event Analysis
The Event Analysis process begins as soon as possible after an event to determine the significance
of the event and level of analysis required. The registered entity prepares a brief report for MRO
Reliability Assessments and Performance Analysis (RAPA) staff to review. During the event review
process RAPA staff and the registered entity work together to:
Determine the underlying causes of events and support identification and tracking of
recommendations to prevent reoccurrence;
Disseminate important event information and lessons learned to BPS owners, operators, and
users to improve operations; and
Provide feedback to NERC’s development of Reliability Standards, training and education,
and trend analysis.
In addition to the Event Analysis process, MRO Risk Assessment and Mitigation (RAM) staff perform
Event Evaluations for all reported events and disturbances. The Event Evaluation focuses on
compliance with Reliability Standards. The Event Evaluation allows RAM staff to determine whether
to close the event from a compliance perspective or request that a registered entity perform a
Compliance Assessment, as described in the 2019 CMEP Implementation Plan.24 RAM staff also
uses the Event Evaluation to identify reliability risks that may inform future compliance monitoring
activities. The Event Evaluation may become input to the determination of a registered entity’s
inherent risk, or become part of the oversight of NERC Reliability Standards and Requirements that
are “event-based.” If, and when identified risks are considered regional or might impact multiple
entities, MRO would include the risk in the MRO RRA in order to investigate the issue further. The
Event Evaluations are also used by RAM staff to identify and share risks that are not covered by a
NERC Reliability Standard.
Recent reportable events have been associated with human error, misoperations, breaker failures,
commissioning errors, and weather. Weather continues to be the primary driver of events associated
with a loss of load.
Figures 3.1.3 and 3.1.4 provide a high-level overview of the attributes and event severity for events
reported since September 2007. As discussed earlier in this report, the most common attribute
associated with the 91 total events reported has been misoperations. Figure 3.1.4, the Total and
Average Event Severity Index (ESI), illustrates the number of events per year, broken down by ESI
rating.
242019
CMEP Implementation Plan
132019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Figure 3.1.3 – Attributes of MRO Events
It is difficult for entities to prepare for high-impact, low-probability system events because they likely
have not gained the necessary knowledge through experience. The knowledge gained through
analysis of events across North America is reflected in the requirements that are included in the
Adequacy of Facilities for Event Response Performance Area, other event-related Performance
Areas include Emergency Plan Development and Coordination, Preparation for Physical Events, and
Operations During Events. The specific event-related risks for each Performance Area are included
in the table at the end of this report.
Figure 3.1.4 – Total BPS Impact and Average Impact, per Year
142019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Figure 3.1.4 above depicts the ESI rating system MRO staff has developed to analyze and trend
events in the region. The ESI value is a weighted sum of the generation loss, load loss, and number
of facilities experiencing outages during an event. Each year is composed of several bars
representing each reported event, with the size of the bar corresponding to the ESI rating for that
event. The category of each event is denoted by the color of the bar as indicated in the legend. The
green bar in each column represents the average ESI per event that year. The 2016 uptick in the
number of events warranted further consideration by MRO staff and the MRO PRS, who performed
detailed event peer reviews for four of the larger and more complex events that occurred that year.
The intent of the peer review was to fully understand the root cause and share any lessons learned
with the rest of the region and ERO-wide. Per figure 3.1.4, through November 9, 2018, in 2017-2018
MRO has seen a return to the trend of fewer, less severe events.
Requirements with High Risk Violations
In order to evaluate progress toward a key reliability goal of fewer, less severe events and instances
of noncompliance, MRO developed the Compliance Severity Index (CSI) to represent the total risk
that all instances of noncompliance present to the reliability and security of the BPS in the MRO
Region. The MRO RAM staff undertake a rigorous process to evaluate each instance of
noncompliance, based upon an analysis of the facts and circumstances, to determine the potential
and actual risk to the reliability and security of the BPS. The product of this evaluation is a Risk
Determination with an assigned Risk Level of Minimal, Moderate, or Serious. MRO uses the Risk
Determination and the finding discovery method (Audit Finding, Self-Certification, Self-Report, etc.)
to calculate the CSI.
MRO has mapped all historic instances of noncompliance into the current, equivalent Reliability
Standards and requirements. This allows analysis of the same risk associated with varying instances
of noncompliance, regardless of new associated Reliability Standards or requirements.
Figure 3.2.1 provides the 15 highest risk requirements based on the Total CSI, which reflects
noncompliance history in the MRO Region, including the entire expanded footprint.
152019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Figure 3.2.1 – 15 Highest Risk Requirements Based on Total CSI
MRO utilizes this information to ensure appropriate focus on the highest risk requirements, including
inclusion of those requirements in the MRO performance areas. In particular, MRO utilizes the CSI
to evaluate trends in instances of non-compliance of higher risk requirements. If a requirement is
showing a year over year increase in total CSI, MRO may prioritize the oversight for that
requirement. Prioritized oversight might include additional Spot-Checks, Self-Certifications, or
increased monitoring frequency through a Compliance Oversight Plan. This information is provided
to MRO stakeholder groups to inform their outreach activities. For example, this data and MRO staff
observations drove the creation of a Standard Application Guide on CIP-010 for MRO entities.
Increased regional and ERO-wide focus on vegetation management practices, as described later in
this report, led to the creation of the FAC-003 Standard Application Guide. Additional Standard
Application Guides25 have previously been developed for PRC-005, CIP-002, and FAC-008, among
others. MRO stakeholder groups submit completed Standard Application Guides for endorsement as
ERO Enterprise-Endorsed Implementation Guidance (Implementation Guidance). Currently, five
Standard Application Guides have been endorsed as Implementation Guidance and two are
currently being considered for endorsement.
MRO Region Risks to Security
To support MRO registered entities in addressing cyber, physical, and control system threats, MRO
established the Security Advisory Council (MRO SAC).
25 Standard Application Guide
162019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Key objectives of the SAC include:
Serving as the Subject Matter Expert (SME) for the MRO Region, Board, and staff;
Creating, consolidating, and disseminating highly relevant security information to SMEs in
the region;
Strengthening relationships between MRO registered entities and the E-ISAC, governmental
agencies in Canada and the U.S. and other industry organizations; and
Exposing MRO entities to best practices and lessons learned from other industries and
throughout the ERO.
The MRO SAC holds an annual regional security risk assessment meeting attended by MRO SAC
members as well as staff from MRO and the E-ISAC and includes attendees from the MRO Region.
The key outcome from the meeting is the identification of security risks to the MRO region. The
compiled non-prioritized list of security risks is:
Spear-phishing
Spear-phishing activity continues to be an attractive threat vector used by both advanced and
beginner level actors. Spear-phishing remains an effective tool by threat actors due to ease of use
and that it only takes one user to click on an affected link or attachment.
Risks to Smaller Utilities
Large utilities typically have dedicated significant resources for cyber and physical security activities.
Smaller utilities have limited budgets and resource constraints limiting the ability for robust security
investments. In many cases, these smaller utilities can only allocate one or two staff on a part-time
basis, especially when dealing with cyber security issues.
Supply Chain Issues
Integrity of the supply chain remains a key source of risk for the electricity industry. Entities should
assess their procurement processes to evaluate not only where their tools and technologies are
coming from, but must also include third-party suppliers for embedded solutions. Vetting of suppliers
should include input from the security team for more in depth evaluations to determine the following:
1) what data is being pulled, 2) where is it going, 3) what are they doing with it, and 4) why does it
have to go to the vendor.
Regional/Centralized Security Operations Center
The amount of information coming from the E-ISAC, DHS, FBI, DOE, etc. can quickly overwhelm
small staffs even if they understand and consume the information being provided. Support for
smaller utilities can be enhanced at the regional level by pooling resources.
The significant number of smaller utilities in the region can benefit from the shared resources and
best practices from a regional perspective.
Compliance Fatigue
Compliance with security standards and security practices are challenging because they have to
respond to ever-changing threats and technology. The CIP Standard development process cannot
keep pace with the evolving threat landscape. Changing risks is making it difficult for companies to
172019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
prioritize and develop effective risk management strategies to focus resources appropriately.
Understanding the security maturity of non-CIP assets can identify some potential gaps.
The interconnected nature of the grid means that the security of distribution assets can impact the
bulk power system, but those assets are not subject to CIP compliance. Using CIP as a framework
for vertically integrated utilities attempting to secure those assets may prove too resource intensive
or burdensome. Compliance challenges may require utilities to rearrange priorities based on
compliance risk, as opposed to pure security risk.
ICCP Security
The number of Inter-Control Center Communications Protocol (ICCP) connections and their security
is a concern due to the importance of the data and the content of the information being sent, coupled
with the robustness of the protocols. Current cybersecurity technologies are not available to inspect
ICCP data to look for anomalies or signatures. Nearly all BES operators have ICCP connections,
some of which are critical to support situational awareness tools.
Unmanned Aerial Systems
Unmanned Aerial Systems (UAS), or drones, are increasingly being used by industry for operational
inspections and monitoring of remote assets. The E-ISAC is seeing an increase in the use of UAS by
threat actors conducting surveillance of substations, transmission lines, and other assets. In most
cases, these activities have been limited to surveillance activities, but there is an increasing concern
of potential use of drones to carry explosive payloads for offensive operations against industry
assets. Currently, there is very little recourse when industry observes drones at their sites other than
to report the observed drones to local law enforcement.
The vast geography of the MRO region coupled with low population density creates challenges to
identify the presence of UAS.
Environmental Activism
Increasing reliance on natural gas as a fuel resource has increased the risk to industry from
environmental activists. Recent protests against pipelines in the MRO region have increased the
need for stronger situational awareness of environmental activist groups and their potential targets.
These groups have also protested nuclear facilities attempting to disrupt operations.
IT/OT Convergence
Most companies maintain Information Technology (IT) and Operational Technology (OT) network
separation and have a good understanding of their enterprise IT networks, but less knowledge of OT
networks. The main focus for security teams may be on IT with the OT focused on operations.
Training for IT personnel is much different than OT, leading to some security staff having little to no
OT experience.
As the threats get more sophisticated, industry is continuing to evaluate the need and/or requirement
for manual operations. Industry needs to ensure the tools are available to reliably operate the BES
manually, if necessary.
182019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Changing Threat Landscape
The nature and volume of threats affecting the electricity industry is ever evolving. Cyber security
professionals may be fighting the threats of the past and not looking towards the future. New tools
and training are needed to combat emerging threats to maximize the effectiveness of investments.
There is a risk that physical security issues are not being shared broadly.
Terrorism, especially at the local level, continues to be a focus of industry security teams. Security
teams should consider how likely a terrorist group is to target a local facility. While terrorist
organizations identify electricity and energy sector control system assets as attractive targets, these
organizations have not moved beyond the aspirational level in the United States. The E-ISAC
continues to monitor threats affecting the industry and provides updates as the situation warrants.
The companies in the MRO region should be mindful of changes in region-specific fuel sources
(wind, gas, and coal) and consolidation of EMS vendors.
Communications
Communications networks and their reliability and resiliency can have an impact on operations if
disrupted. The interconnectedness of the grid and remote locations for some assets presents
challenges from a communications perspective particularly as entities do not have a detailed
understanding of the design and operation of these communications networks. Entities should
identify how they are interconnected with other entities, vendors and other external organizations in
order to identify potential vulnerabilities. How a neighboring entity responds to a compromise is also
a potential risk that may impact situational awareness.
Threat of Insiders
According to the Carnegie Mellon University’s Software Engineering Institute, “cyberattacks from
employees and other insiders is a common problem that you should be planning for and preventing.”
Insiders pose a substantial threat to your organization because they have the knowledge and access
to proprietary systems that allow them to bypass security measures through legitimate means.
Physical Security
The remoteness and distance of transmission assets from law enforcement presents challenges to
incident response and mitigation in the MRO region.
Entities should have an ongoing relationship with local law enforcement, the local FBI, fusion
centers, and the E-ISAC to maintain situational awareness of potential threats, to include the
prevalence of terrorist groups in the vicinity of entity assets.
MRO Region Risks to Operations and Planning
MRO staff, in collaboration with the MRO Planning and Operating Committees, compiled the
following non-prioritized list of operations and planning risks.
Remedial Action Schemes
Remedial Action Schemes (RASs) are designed to detect predetermined system conditions and take
automatic corrective action to maintain BPS stability, acceptable voltages and power flows, and limit
the impact of cascading or extreme events or otherwise meet Transmission Planning reliability
192019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
criteria. The importance of these schemes to the safe and reliable operation of the BPS is reflected
in NERC Reliability Standards PRC-015-1, PRC-016-1, and PRC-017-1, which address RAS design
and documentation, misoperation reporting and corrective actions, and maintenance and testing,
respectively. Some of the RASs in the MRO region are considered some of the most complex in the
Eastern Interconnection due to the sophistication of the design. The most impactful RASs in the
MRO footprint are associated with formerly identified Interconnection Reliability Operating Limits
(IROLs). The redundant nature of the RASs was used in part to retire the IROLs. These factors
increase the importance of ensuring that such RASs are planned, built, and maintained properly.
Market Participation
The current suite of Transmission Operating standards is designed to address operational
constraints before the constraints become an issue to the reliable operations of the BES.
Implementation of these standards can become challenging for entities that participate in ISO/RTO
markets. Market tools and participation are not under the umbrella of the NERC Standards but can
directly impact an entity’s operational compliance (e.g., the market functioning as an input to
Automatic Generation Control algorithm, performing real-time assessments, and using nodal pricing
to dispatch around constraints). For example, consider NERC Lesson Learned LL20170401,
Dispatched Reduction in Generation Output Causes Frequency Deviation.26 In that event, a data
transfer issue resulted in incorrect unit commitments from a Balancing Authority’s (BA) economic
dispatch software. Despite system operator intervention, some of the dispatch instructions could not
be overridden, and the BA experienced a reduction in generation output that caused its area control
error (ACE) and system frequency to deviate for nearly 20 minutes.
Market tools and participation adds a level of complexity, and therefore risk, to both regulation of
these functions and to an entity’s implementation of its roles and obligations per the NERC Reliability
Standards. Virtually all entities in the MRO footprint participate in a market, which is taken into
account in the implementation of MRO’s CMEP IP. Through outreach in 2017-2018, MRO has seen
a specific uptick in questions regarding Transmission Operator roles in performing real-time
assessments. MRO utilizes its HEROs™ email27 and other outreach mechanisms to continue to
respond to these inquiries.
Vegetation Management
Conductor contact with trees has been an initiating trigger and a contributing factor in several major
system disturbances, including the blackout of August 14, 2003. Tree contact caused the loss of
multiple transmission circuits in several of the outages, causing multiple contingencies and further
weakening of the system. By carefully tracking and enforcing standards related to inadequate
vegetation management, the ERO Enterprise is able to identify and eliminate vegetation
management as a cause, of a major system disturbance. The goal is to prevent line outages from
vegetation located within a transmission right-of-way (ROW) and minimizing outages from vegetation
located adjacent to a ROW. From 2016-2017, parts of the MRO region experienced exceptionally
warm and wet conditions, which may have prompted accelerated vegetation growth rates, and
contributed in two instances of vegetation-related transmission outages. Vegetation management
programs under FAC-003-4 need to be sufficiently robust to account for varying conditions, including
accelerated growth, and ensure that prompt action is taken to identify and mitigate issues. MRO has
modified its Maintenance of BPS facilities performance area to include all FAC-003 requirements
26
NERC Lesson Learned LL20170401, Dispatched Reduction in Generation Output Causes Frequency Deviation
27
heros@midwestreliability.org
202019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
related to the design and implementation of vegetation management plans. A Self-Certification,
originally planned for 2018, was expedited to Q4 of 2017, to react to this identified risk. While no
additional vegetation-related outages or issues were identified as a result of the Self-Certification,
this is a risk that MRO continues to prioritize in its monitoring efforts.
Changing Resource Mix
Changing resource mix is a significant issue in the MRO region. One primary risk results from
integrating variable generation such as wind to replace energy currently produced by conventional
generation/large rotating machines. These large rotating machines have provided the diverse
characteristics such as inertia, the ability for the power system to recover from a frequency event,
and voltage support collectively known as essential reliability services. The power system must have
the ability to raise and lower generation or load, automatically or manually, under normal and post‐
contingency conditions. In the past, the grid has operated reliably without explicitly quantifying each
essential reliability services element, as most conventional resources provided these services by
default. As variable generators, like wind and solar, are introduced to the power system, it is
becoming necessary to examine each of the essential reliability service requirements to ensure the
BPS remains reliable. The significant increase in variable resources, coupled with retirement of
conventional generation, will increase the complexity of commitment, dispatch, and control room
operations.
Recent voltage disturbance events on the transmission systems in Australia and Texas have
highlighted concerns with insufficient essential reliability services for wind generators, specifically
voltage ride through capabilities and control system parameters.
On September 28, 2016, five faults occurred on the South Australian transmission system in
under 90 seconds. The six subsequent voltage disturbances and lacking voltage ride through
capability of nine wind plants led to the sudden loss of 25 percent of the system’s capacity.
The system islanded and frequency rapidly began decreasing, causing the remaining
generation to trip, resulting in a blackout.
As detailed in a NERC Lessons Learned,28 five events have occurred on the ERCOT system
where line faults or bus faults resulted in the temporary loss of wind generation.
Eastern Interconnection ties lessen the susceptibility of transmission in MRO’s Region to experience
instability and uncontrolled or cascading outages due to reduced essential reliability services
associated with wind facilities. However, there is a potential for low voltage in areas where wind
penetration is high, transmission lines are long, and load is comparatively small, because thousands
of MW of wind generation could be susceptible to similar issues if unit settings and capabilities are
not verified, maintained, or otherwise functioning properly.
Similar ERO-wide concerns apply to solar resources, as indicated by the NERC Alert29 for loss of
solar units during disturbances due to inverter settings. This concern is minimal for MRO at this time,
as there is only a single, utility-scale, solar resource in the region. However, recent studies anticipate
an uptick in such resources as variable resources continue to phase out conventional generation. As
indicated in the Insufficient Long-Term Planning Due to Inadequate Models 2019 ERO Risk Element,
NERC’s annual Long-Term Reliability Assessment forms the basis of NERC’s assessment of
28
NERC Lessons Learned
29
NERC Alert
212019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
emerging reliability issues. The ERO continues to raise awareness on inverter-based resource
performance through NERC alerts and industry outreach. MRO has established the Study and
Operating Plan Validity, Planning Assessment Coordination, and Modeling Data Performance Areas
to best address this risk via compliance monitoring activities.
This risk is observed to varying degrees in all four PC footprints in the MRO:
Figure 3.4.1 – Planning Coordinator Forecast of Generation by Fuel Type
Renewable portfolio standards continue to incent the integration of renewable resources into the
resource mix. Renewable energy in the United States accounted for 14.9% of domestically produced
electricity in 2016. Operational parameters for variable resources are different than traditional
resources, and their output is not dispatchable but variable, depending on levels of wind or sunshine.
However, power system operators have been able to adapt to these challenges. As the levels of
renewable resources continues to grow, so do the challenges of integration with other resources
required for a reliable bulk power system.
222019 MRO Regional Risk Assessment 2019 MRO REGIONAL RISK ASSESSMENT
Figure 3.4.2 - Renewables in the MRO Region
Regional Natural Hazard Assessment
The US Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response
(CESER) has compiled a set of State Energy Sector Risk Profiles to help states understand risks to
their energy infrastructure.30 The State Risk Profiles examine risks at the individual state level
highlighting energy infrastructure trends and impacts, including both natural and man-made hazards
with the potential to cause disruption of the electric, petroleum, and natural gas infrastructures.
Reviewing the natural hazards data for the states in the MRO Region from 1996-2014 reveals that
the top three natural hazards based on annual frequency of occurrence are: 1) Thunderstorms and
Lightning – 2021 total average occurrences, 2) Flooding – 622 total average occurrences, and 3)
Winter Storms and Extreme Cold Weather – 510 total average occurrences. The total annual
average occurrences are illustrated by state in Figure 3.4.3.
Natural Hazards by State, 1996-2014
300
Annual Frequency of
250
200
Occurrence
150
100
50
0
Thunderstorm & Lightning Flood Winter Storm & Extreme Cold
Figure 3.4.3 – Natural Hazards by State, 1996-2014
30
State Energy Sector Risk Profiles
23You can also read
