Ensuring Compliance vs Building Resilience
The realization that the vast majority of substations have significant security vulnerabilities was crystalized after the Metcalf incident of April 2013, during which unknown assailants caused the failure of 17 transformers at the Silicon Valley PG&E transmission substation in Metcalf, California. Jon Wellinghoff, then Chairman of the Federal Energy Regulatory Commission (FERC), later told the Wall Street Journal that it was “the most significant incident of domestic terrorism involving the grid that has ever occurred.”
FERC, the U.S. federal agency that governs the U.S. power grid, then directed the North American Electric Reliability Corporation (NERC), the reliability standards organization for the bulk power grid, to develop the CIP-014 standard, necessitating each utility undertake an assessment of their physical security infrastructure, and develop a comprehensive security plan that addresses major and minor transmission site security. The final version of CIP-014-1 was adopted by FERC in November 2014, with enforcement actions expected to start in 2016.
Christopher Peters is Vice President of NERC and Critical Infrastructure Protection Compliance at Entergy. Peters heads up all of NERC reliability compliance, which includes critical infrastructure, protection and reliability standards. In this interview he discusses the implication of the CIP-014, which while still away off, is causing marked changes throughout the industry.
While the implication of the CIP-014 is still far off, Entergy realized early on that that it needed to go further than simple adherence. The challenge becomes rolling out the changes in the most efficient way possible with minimal impact to current operators and IT. It’s also an opportune time to improve processes and procedures to ensure that the organization is operating consistently across all business units. Peters has solidified some best practices in physical security planning from a resilience standpoint.
In order to prepare for the new regulations, Entergy:
- Assembled an implementation team and risk committee about 18 to 24 months before the deadline
- Set up a capital approval process to make secure funding ahead of regulations and are a part of future policies
- Took the opportunity to improve processes and procedures across all business units, including nuclear assets, generation, new transmission, and system planning
Viewing the new regulations through the lens of an opportunity to improve business processes can only ensure greater grid resilience. Entergy has a single security program that matches all business units and systems instead of from a patching perspective. Each business unit now has a centralized team that manages patching. This is a direct result of how the current regulatory environment affects resilience investments and projects.
Predictions for the future of disaster planning should not be overlooked when investing in resilience projects. Disasters can’t be predicted and will keep coming every year from multiple different threats. Extreme weather threats – cold, heat, drought, flood, ice, tornadoes, lightening – have no been joined by cyber threats, all of which, Peters says, have the potential to create mini-disasters in Entergy’s system. Luckily, they haven’t experienced a cyber threat or attack that brought their system down, but it’s a threat that they account for, plan for and drill for.
Entergy has relationships in place with local law enforcement, the Federal Bureau of Investigations (FBI) and regulatory employees in Washington, D.C., so that in the event of a cyber incident they are able to respond as quickly as possible. Having established relationships makes it easier to get the senior leadership in place, engaged and able to mitigate threat as quickly as possible. Cybersecurity is one of many threats Entergy faces: They fund it, plan for it, prepare for it and respond to different types of cyber incident threats, but none that reach that disaster-scenario level. The industry in general is looking at that disaster type scenario and making sure it’s ready to respond.
One of the best actions utilities should take to increase resilience is to start with knowing and understanding how their enterprise works inside and out, Peters said. Utilities must account for every transaction that’s taking place in the enterprise. Furthermore, utilities must know their systems as well as have accurate inventories.
"[Utilities] need to know where their vulnerabilities are and there needs to be plans to remediate vulnerabilities if they exist. They need to have Board and CEO-level engagement on all types of reliability issues, not just cyber, but also items such as spare auto transformers being baked into the crisis response plan around reliability and cyber. Essentially, they must, as a company, to treat cyber and reliability with the same focus and attention they would respond to hurricanes and outages," Peters says, which is where Entergy is headed.
"It’s their goal to be as good at cyber response as they are at hurricane response," Peters adds. "And we’re very, very good at hurricane response."
In order to elevate the cyber prevention and protection program, Peters and his team routinely brief their Board, the office of the chief executives and ensure that their capital investments are approved by a risk committee. These actions ensure that the cyber plan is baked into their business continuity plan.
"Although new threats abound, resiliency remains the most important element of any strategy. But, it’s also all block and tackle stuff that utilities should be doing since the regulatory environment mandates very prescriptive requirements about how to protect critical assets around change management, access control, as well as patching and managing access points. On the other hand, it is very administrative intensive when you have to prepare for an audit and it can be very onerous to maintain documentation and prepare at the same time. When you prepare for an audit you think about 100 to 125 people involved getting things together for that audit. So, that’s a resource constraint, it’s time consuming and it’s a lot of work and it takes daily operational jobs and impacts other things," Peters says.
High-impact, low frequency events are hard to prepare for, plan for and recover from promptly. “By understanding how the everyday, low-impact events play into larger and more costly scenarios, we can start to look for ways to better understand and mitigate the extreme events. With unlimited funds, there isn’t much we couldn’t do in the way of grid hardening – but in today’s demand plateau this issue requires a hard look at trade-offs, cost-benefit analysis, and an understanding of the most likely points of failure,” Peters concludes. ET