ensuring grid security and reliability
DESCRIPTION
In 2008, FERC gave NERC the power to establish mandatory Bulk Power System requirements for security and reliability, audit compliance and levy fines. Since then, NERC standards and requirements have grown, and are growing, especially Critical Infrastructure Protection (CIP) standards. How can cooperatives make sure their organizations meet these evolving demands and secure the grid while continuing to deliver reliable power? This ScottMadden insight is the third in a series on “Five Strategic Priorities for Generation and Transmission Cooperatives.” The report summary can be found here: http://www.scottmadden.com/insight/516/five-strategic-priorities-for-generation-and-transmission-cooperatives.html. For more information, please visit www.scottmadden.com.TRANSCRIPT
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
A Generation and Transmission Cooperative Strategic Priority
October 2012
Contact: Brad Kitchens ([email protected])
Marc Miller ([email protected])
Zach Milner ([email protected])
Copyright © 2012 by ScottMadden. All rights reserved.
Introduction
This ScottMadden insight is the third in a series on “Five Strategic Priorities for Generation and Transmission Cooperatives.”
Contents
Overview
Evolution of Rulemaking and Enforcement
Multiple Dimensions of Reliability
Effective Compliance Program Elements
Thinking Strategically
Contact Us
1
Managing Generation
Assets
Ensuring Grid Security
and Reliability
Gaining Access to
Capital Markets
Improving the Effectiveness
of Stakeholder Management
Fostering Economic
Development
Copyright © 2012 by ScottMadden. All rights reserved.
Overview
In 2008, FERC gave NERC the power to establish mandatory bulk power system requirements for security and reliability and to audit compliance and levy fines. Since then, NERC standards and requirements have grown and are growing with Critical Infrastructure Protection (CIP) standards making up a significant part of that growth.
2
NERC Compliance Maturity Model
Ongoing Compliance
Continuous cycle (as
standards evolve,
procedures are
updated and
personnel are
trained)
Demonstrated culture
of compliance
Active regulatory
relationships
Integration and
Automation
Requirements
coordinated by all
business units
Documents
managed
electronically
Workflow and
metrics automated
Accountability
Dedicated
compliance
organization
established
Individual standard
owners assigned
Defined Processes
Compliance
requirements defined
Mitigation activities
established
High Low Maturity Level
CIP violations were eight of the top 10 from March 2010 to March 2011
Top companies are working to ensure that their organizations can evolve to meet changing NERC and FERC priorities
In 2012 and beyond, NERC will employ a risk-based approach to managing and improving reliability
— This risk-based approach will include a heavy focus on CIP standards
In addition to managing key reliability metrics, companies should also build a mature and effective compliance program
Compliance programs are most effective when they impact multiple dimensions of an organization, including:
— Standards Development
— Employee Training
— Risk Management
— Organizational Structure
— Compliance Processes
— Program Management
— Use of Technology
— Culture of Compliance
Rulemaking and Enforcement is Evolving
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
Evolution of Rulemaking and Enforcement
Since 2008, the number of violations has increased, especially the number and proportion of violations related to CIP.
3
Rulemaking and Enforcement is Evolving: Cooperatives must work to ensure their organizations can meet evolving demands
An effective compliance program is a natural outcome of the process of increasing security and reliability
The CIP program coordinates NERC’s efforts to improve physical and cyber security for the bulk power system of North America
— Since 2007, CIP violations have increased in total number and as a percentage of total violations
— Non-CIP violations have also increased
Focus on Cooperatives
Since the beginning of mandatory enforcement, 47 reliability standards had possible violations by cooperatives, yet 47% of the total number of violations are concentrated in only four standards:
— PRC-005: System Protection Maintenance and Testing
— CIP-001: Sabotage Reporting
— CIP-007: Systems Security Management
— CIP-005: Electronic Security Perimeters
Cooperatives can prioritize activities by focusing resources on these standards
0
10
20
30
40
50
60
70
80
90
100
Top 10 Violations by Cooperatives
Sources: NERC
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
Multiple Dimensions of Reliability
Cooperatives must work to ensure the reliability of the overall bulk power system along multiple dimensions, including regulatory and environmental uncertainties and the adequacy of generation resources to meet projected demand.
4
Increasing dependence on digital technology to reduce costs, increase efficiency, and maintain reliability means that the networks and computer environments which support this technology must be adequately protected from attacks
— The constant vigilance that is required to ensure security in this environment is challenging for cooperatives due to the costs and specialized expertise associated with attaining it
Security for an increasingly “smart” grid
Generation Reliability
The results of NERC’s recent analysis of generation reliability showed upward trends in forced outage hours, maintenance events and planned outage events
— Forced outage hours jumped from 266 to 310 hours per unit from 2009 to 2010
— Maintenance events increased by 24 hours per unit from 2009 to 2010
— Planned outage events increased slightly from 2008 to 2010
Further investigation is required, but an aging generating fleet may be a primary driver of degrading generation reliability
Transmission Reliability
From 2008 to 2011, nearly 20% of automatic sustained outages were initiated by either failed AC substation equipment or failed AC circuit equipment
These equipment failures should be considered significant focus points in reducing outages and maintaining reliability
Other areas of reliability to consider*
*Sources: NERC, 2011 Risk Assessment of Reliability Performance
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
Effective Compliance Program Elements
An organization can support increased security and reliability and their ability to respond to evolving rulemaking by working to ensure that eight compliance elements, described below, are incorporated into their compliance programs.
5
Organizational Structure
• Dedicated compliance organization; supervised by the “compliance officer”
• Identified compliance leaders and structure in each applicable organization
Employee Training
• Staff at all levels are trained; communications clear
• Methodology to ensure alignment between documentation compliance and training
Culture of Compliance
• Recognition of the importance of reliability/compliance
• Employees are encouraged to identify and self-report violations through the corporate process
• Key compliance indicators identified and monitored; “dashboard” status reporting
Standards Development
• Proactive involvement in standards development
• Process in place for rollout of new standards
Compliance Processes
• Established corporate-wide standards
• Ongoing audit readiness process to prepare for self-certification, self-reporting, compliance audits, spot checks, and readiness evaluations
Program Management
• A master schedule exists for all compliance-related activities; activities are managed as a program
• The compliance group assists the business units
Risk Management
• Enterprise-wide risk management assessment conducted to evaluate compliance risk
• Formal reviews of company reliability “incidents” and “near misses” are held in a timely manner
Use of Technology
• Computer-based tracking systems
• Central repository for auditable documents
• Appropriate tools selected to support NERC
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
Effective Compliance Program Elements (Cont’d)
Some key questions to consider under each of the eight compliance elements are listed below.
6
The degree to which an organization has addressed these questions is indicative of program maturity and effectiveness
Organizational Structure
• Who is the NERC chief compliance officer? Why?
• Do they have access to the COO/CEO?
• To whom does the compliance manager report?
• How are responsibilities divided between compliance and the SMEs?
Employee Training
• Once procedures are complete, how are staff trained?
• How frequently are procedures reviewed?
• Who signs off on staff knowledge?
Culture of Compliance
• Does senior management consider NERC compliance a primary responsibility?
• What communications have been made to the staff and board regarding NERC compliance? Are these messages reinforced?
• How is performance managed?
Standards Development
• How does the enterprise stay apprised of standards under development?
• What is the internal process to comment and vote on standards?
• Who are the representatives on the RRO and NERC standards development committees?
Compliance Processes
• How are procedures vetted internally?
• How does the signing officer know they are correct and have been implemented?
• Are the procedures for self-certification, self-reporting, audit preparation, etc. followed?
• Who is responsible for compliance with those procedures?
Program Management
• Is there a master plan of compliance-related activities? How is it managed?
• Who is responsible for tracking activities and ensuring completion?
• How are procedures integrated within and across departments?
Risk Management
• Is NERC compliance included in the ERM process?
• How is potential compliance exposure communicated to management?
• Are compliance resources allocated consistent with potential risks?
Use of Technology
• Which tools are used for project management? Work management?
• How is procedure version control managed?
• How are tasks tracked and communicated?
Copyright © 2012 by ScottMadden. All rights reserved.
Ensuring Grid Security and Reliability
Thinking Strategically
In today’s dynamic and challenging environment, it is more important than ever to ask the right questions and understand the implication of the answers.
7
With which violations are we most at risk for non-compliance?
What components of an effective compliance program are priorities for my organization right now?
How do our compliance activities compare to other organizations?
What systems, tools, and training are available to help facilitate a culture of compliance?
Do we have well-defined processes that will keep us in compliance while improving security and reliability over time?
Does our organization structure support clear and undiluted accountabilities?
Practical Questions for Management
Possible Goals for the Organization
Identify standards where the organization may be at risk and perform an internal assessment
Review the most violated standards and largest penalties in the industry to identify those which could present the most risk
Assess the NERC compliance governance structure to ensure roles and responsibilities support the goal of corporate compliance
Ensure processes that touch CIP standards efficiently meet current and likely future business requirements
Develop a governance model that clarifies key accountabilities associated with ensuring grid security and reliability
Copyright © 2012 by ScottMadden. All rights reserved.
Contact Us
ScottMadden has undertaken numerous consulting projects for cooperatives across the country. If you are interested in learning more about ensuring grid security and reliability, please contact us.
Zach Milner
Senior Associate ScottMadden, Inc.
3495 Piedmont Rd, Bldg 10
Suite 805
Atlanta, GA 30305
Phone: 404-814-0020
Marc Miller
Director ScottMadden, Inc.
3495 Piedmont Rd, Bldg 10
Suite 805
Atlanta, GA 30305
Phone: 404-814-0020
Brad Kitchens
President and CEO ScottMadden, Inc.
3495 Piedmont Rd, Bldg 10
Suite 805
Atlanta, GA 30305
Phone: 404-814-0020
8