May 17, 2012

Posts Comments

You are here: Home / Archives for Electric Reliability

Weighing Pros and Cons of Energy Storage Technologies

February 24, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

Last time we made the argument that advanced energy storage has a demonstrable track record of positive environmental and economic benefits. Now let’s look at some of the energy storage technologies available in today’s marketplace:

Dynamic Power Resources (DPR)

  • Ramp Rate Control: DPRs monitor output from a renewable generation source on a microsecond basis and automatically responds by either absorbing renewable output or supplying additional power so that the grid receives smooth, clean power at a desired MW/minute rate.
  • Firming/Shaping: Coupling a DPR with a renewable generation forecast allows the utility to organize other generation resources to meet expected demand based on its guaranteed day-ahead renewable output schedules, as well as reshape output to deliver power during peak demand times regardless if the renewable asset is generating power or not.  If a forecast is inaccurate, the DPR automatically supplies or absorbs power on a microsecond basis to ensure the day-ahead output schedule is met.
  • Curtailment Mitigation: if there are times when the utility needs to curtail renewable output, the DPR can take advantage of all of the as-available fuel by storing curtailed power and redistributing it at other times throughout the day, whenever the grid needs excess energy.
  • Ancillary Services:  the speed and accuracy of the full four-quadrant DPR are unparalleled to that of typical generation resources.
    • Voltage Support: the DPR has the ability to supply and absorb reactive power (VARs) while simultaneously supplying real power (Watts). This allows the system to maintain a target power factor while continuing to provide other functions that require real power management such as services mentioned in this section.
    • Frequency Regulation: the DPR can respond to both AGC signals and/or frequency deviations with sophisticated control algorithms to help maintain nominal grid frequency. The DPR is capable of providing the frequency support during loss of generation or system disturbance, as well as address less severe frequency deviations due to normal grid operations throughout the course of each day.
    • Spinning Reserve: the unique sizing scheme of the DPR allows the customer to add more energy storage (MWh) and act as a back-up power reserve for extreme generation trip scenarios by providing power while offline generation units ramp up to replace lost generation.
  • Transmission and Distribution Upgrade: Deferral: instead of undertaking costly T&D upgrades, utilize DPRs to supply power for incremental increases in load, as well as to enhance grid reliability for weak and/or congested T&D lines.
  • Peak-Shaving/Load-Leveling: Similar to ramp rate control, but for longer periods of time, a DPR can absorb and provide power, charging during off-peak times for use during on-peak times. Peak loads are lessened, which ultimately enables traditional generation to run more efficiently.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Fact, Fiction or Just Good Old Fashioned Nonsense – EMP Speech From FERC Conference

February 10, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

On February 8, 2011, FERC hosted a conference dealing with the security of the nation’s grid. I really wish I had been there so I could have called a lot of these people on the carpet about the garbage they were spewing forth! One of the “Chicken Little’s” that took time to try and scare people, Avi Schnurr of the Electric Infrastructure Security Council (EISC), gave a doomsday scenario without any language on how to prevent or recover from an EMP event.

If Mr. Schnurr had wanted to add any value to his speech, which by the way, was based on test data from 45-50 years ago, he would have stated that there is a fix for EMP events called a Faraday Shield. Mr. Schnurr could have continued on and told everyone that Faraday Shields are so common that they are used in everyday items such as cell phones, microwave ovens and even LCD televisions. The technology to fix the issue(s) stated by Mr. Schnurr has been around for more than 50 years.

When an individual or company gives you bad scenario after bad scenario of what will, and not what might occur, and not give a single example of a solution of even a hint of a solution, one should ask themselves what is this person’s ulterior motive?

It is solely my opinion that the only purpose Mr. Schnurr served was to scare the power industry into calling on the EISC for assistance — for a hefty fee I am sure. I could be wrong, but I doubt it. I have seen too many “snake oil salesmen” in my time.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Risk Management Tagged With: ,

Skilled Social Engineers Threaten Your Proprietary Data

January 17, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Security Tagged With: , , ,

It’s Time To Check Your CIP-009 Mandated Business Continuity Plan

December 27, 2010 By 2 Comments

James Holler, Founder, Abidance Consulting

It’s probably time to revisit your Business Continuity Plan(s) required under CIP-009.

Why? Because you’ve got less than a week until most facilities deemed to be Critical Assets have to be auditably compliant with the NERC CIP rules.

Around the country, natural disasters and man-made incidents and attacks have directly disrupted business operations across the power and utility industries. Having a definitive plan and response technique is essential to remain viable, especially in today’s rough economic climate.

Good continuity planning is vital to any critical industry. However, a rise in service interruptions due to natural disasters and other activities has underscored the need for business continuity plan development and maintenance. Even if you have completed your planning, you may want to revisit your plan one last time before you self-certify your compliance. One of the major areas that is not being addressed in most Business Continuity Plans are topics that were not of any significant concern until very recently, such as terrorist activities, Aurora events and surviving a pandemic flu.

We’ve talked with several regional auditors recently, and they suggest that the regions are looking for registered entities to directly address these areas in the Business Continuity Plans. Several registered entities have recently suffered monetary fines for failure to include these areas in their plans.

Our discussions with the regional auditors also suggest that roughly 70% of the Business Continuity Plans that were reviewed were not deemed adequate. Unfortunately, this suggests that registered entities are not carefully planning their strategies or they do not have a firm grasp of what is required for a comprehensive plan. Either way, the regional auditors are not going to be so forgiving next year as registered entities begin to certify that they are compliant.

As you wrap up 2010 and prepare for the new regulatory world in 2011, it’s time to review your plan again or have a specialist in this area review it and make the necessary modifications so that you are truly auditably compliant.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory Tagged With: , ,

NERC Compliance Could be Tougher in 2011

December 16, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

As one year winds down, let’s peer ahead to see what compliance “surprises” could come from our friends at NERC in 2011 and beyond.

We all know there are no guarantees that there won’t be any “surprises” next year or beyond. What we, as an industry, do know is that there is going to be a new version of the CIP requirements that will cause most, if not all, registered entities to become a low, medium or high impact critical asset. This change will require registered entities to prepare new policies and procedures as well as implement a series of fail-safes to protect the facility from a physical and/or logical intrusion.

Beyond the revised CIP requirements on tap, there is no telling what the compliance future holds in store for us. This past year there have been multiple NERC Alerts issued that would have affected a majority of the registered entities to some extent.

Then there was AURORA, a big NERC Alert that did affect the current status of many registered entities. As you may know, this alert was issued in October and gave registered entities only a few weeks to respond to NERC.

Next year may have a similar number of Alerts issued, there is no way to determine what may or may not affect you until the Alerts or directives are issued either by your region, NERC or even FERC. One way to stave off any unforeseen expenses, including some of the ones registered entities incurred this year, is to outsource all of your NERC compliance efforts for a fixed fee via a Master Services Agreement (MSA) to either an internal corporate division or to a competent consulting firm. In either case, whomever you outsource your compliance efforts to must be fully adept at both CIP and Reliability Standards. This outsourcing could, in effect, negate any unforeseen expenses for consulting and other initiatives since all NERC Alerts, etc. would be covered.

In addition to helping you prepare for and handle a prospective audit, your consultants should also be responsible for keeping you compliant at all times, filing the appropriate self certifications, self reports, updating all policies and procedures to reflect any changes that may occur and also to address all NERC Alerts and new requirements that affect you.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Beware the NERC CIP Consultant Spreading Rumors

December 13, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

I’ve noticed a new and troubling trend recently: There are a few consultants and firms using scare tactics to scare potential clients into becoming paying customers. Many of these consultants use misinformation and half-truths to spread their fear mongering on social network sites such as LinkedIn. Unless FERC, NERC or one or more of the eight Regional Entities has been directly quoted, naming the source, or if you can’t confirm comments or statements by a consultant, it is recommended that you contact these organizations for confirmation.

A good example of this is that there is a consulting firm spreading wild rumors and accusations around that there is going to be a CIP version 5, with set of rules that is radically different than what is in place now. Well, having spoken to Commissioner Spitzer’s office at FERC, there are no immediate plans for a version 5 of the CIP requirements. Version 4 has not even been approved by FERC, therefore, FERC can’t even contemplate when or even if there will be a version 5 of the CIP requirements.

Some members of the Standards and Development Team that is working with NERC to create the various CIP rules and changes is made up of a team of industry experts – some more knowledgeable than others – that create the modifications or new requirements. These are then put out for vote by the industry. If they are approved, then the CIP requirements are presented to FERC for their approval. More times than not, FERC will refer the presented rules back to NERC for modification or makes requests for clarity and guidance. The Standards and Development Team is not the defacto word in the CIP requirements, FERC is.

To sum up, don’t believe everything you read or hear. I do recommend that you get independent verification from FERC, NERC or your Regional Entity. If the consultant is using scare tactics to get you to sign a contract, they are only interested in making a quick dollar and do not have your best interests in mind. There are literally hundreds of people on the Standards and Development Team, so if someone touts that they are on the team, that’s nice…so are many others and they aren’t going around using scare tactics to get you to sign on the dotted line. My best advice is to do your due diligence before you jump simply because someone told you the sky is falling.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Are The NERC Requirements Strong Enough To Protect The Power Grid?

October 27, 2010 By Leave a Comment

James Holler, Founder, Abidance Consulting

The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.

With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.

Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.

So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:

Advanced Persistent Threat

Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.

New Dynamics

Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.

Shared Risk

All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.

Pay Closer Attention To Applications

Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory, Risk Management, Security Tagged With: , , ,

NERC Adds Heavier Fines, CIP Violations to Latest Enforcement Actions

October 18, 2010 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

NERC is mad as hell, and they’re not going to take it anymore.

Okay, maybe that’s stretching it a bit, but take a look at their latest batch of tougher enforcement actions that hit some regulated entities with some heavy penalties.

Former cyber security specialist in FERC’s Office of Electric Reliability Randal Blanchette believes the upswing can be partially attributed to the simple fact that more and more entities are being audited for CIP-002 through CIP-009 generally.  “There are also more complexities [for companies to comply with] as newer revisions come out,” he adds. We’ve talked to Randal before about confusing NERC  regulations.

But Abidance Consulting’s James Holler says NERC is “flexing its muscle a bit.” They’ve been “nice” to regulated entities up until now, “but now they are saying it’s over.”

He noted a lot of six figure fines among this recent slew of penalties. “Those who didn’t take NERC seriously better start doing so now.” NERC observers tell us that in the past, few NERC citations carried a price tag for regulated entities. “We gave you a break and you took advantage of it,” is Holler’s view of NERC’s new attitude. “Some of you were slow to get your compliance programs in order and NERC wants to show they mean business now.”

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey Tagged With: , , ,

How to Interpret a NERC Requirement

October 13, 2010 By 3 Comments

James Holler, Founder, Abidance Consulting

As many of you know, neither FERC, NERC or your Regional Entity (FRCC, MRO, NPCC, RFC, SERC, SPP, TRE, WECC) has been willing to give any kind of interpretation for many of the NERC requirements. For example, if you want to know what the definition of annual is, neither NERC nor any of the regional entities will give you a “hard answer”.

With that said, here is a piece of information you may want to hold onto. If a requirement has not been officially interpreted in writing by the regional entity or NERC or by a FERC Order, Ruling or case decision, then the registered entity can choose its own interpretation as it applies to best business and utility practices for their environment. This interpretation should stand up in court and it is, for a lack of better words, FERC’s Achilles Heel. The registered entity interpretation must be in writing and widely disseminated throughout the organization if the registered entity expects their interpretation to hold up.

Here is an example of an interpretation – feel free to use the one we are providing – that you could use for CIP-008, R1.1:

Procedures to characterize and classify events as reportable Cyber Security Incidents

The response plan must allow for characterizing a reportable Cyber Security Incident by determining if the incident is/was malicious or not, equipment/property was stolen and/or destroyed, length of the incident (if cyber, how long the attack, etc., went on for), are you able to recover from the incident or not – if you can recover, how long will it take.

The response plan must allow for you to classify the reportable Cyber Security Incident by determining if the incident was a reoccurring incident, one-time event or a peripherally related attack, etc. Was the incident detrimental or not to the operations. Was the incident preventable?

As a registered entity, please be reminded that you need to use common business sense and good utility practice when creating/presenting your interpretation(s). Do not interpret a requirement as being something that it clearly is not. In other words, don’t interpret sabotage in CIP-001 as being only an event that is caused by a terrorist. A perfectly acceptable method is to look up the definition of sabotage in the dictionary and use that definition as a guide or starting point.

The information given in this document was garnered through conversations and Q&A sessions with various members of FERC, NERC and several regional entities.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory Tagged With: , ,

NERC/FERC Compliance Standards Too Vague, Former Official Says

October 4, 2010 By 6 Comments

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Confused by FERC’s sometimes vague compliance requirements? You’re not alone – FERC might be, too.

That’s the startling revelation we got recently from a man who ought to know: Randal Blanchette left the agency in September to join Abidance Consulting. At FERC, Randal was a cyber security specialist in the Office of Electric Reliability. He’s done audits on utilities large and small, and he’s seen it all.

“I was there at the creation” of the CIP 002-009 Standards, Randal adds. He’s uniquely positioned to help companies navigate these regulations, he argues, because he’s the only one involved at this level who has since left FERC. “Not to toot my own horn, but I understand what is happening and no one who has left FERC was in the position I was in,” Randal says.

So far, FERC’s efforts to provide more specific standards and requirements have been hamstrung by internal disagreements and an overarching desire to develop standards that “are defensible in court,”  the former FERC official says. That makes some sense, since a standard that won’t hold up in court loses a lot of regulatory teeth, Randal agrees, but that focus has sometimes made it difficult for FERC to offer much in the way of specifics. And it’s left a lot of regulated entities scratching their heads.

“The creation of the CIP 002-009 Standards by NERC with approval from FERC [presented industry with] many challenges of interpretive guidance as can be expected from an imperfect set of documents that catered to the lowest common denominator while simultaneously skimping on clarity for the entity players to understand,” Abidance Consulting’s James Holler has written on this blog.

“Many of the regulated entities I audited or came in contact with didn’t understand the ramifications of non-compliance” with the regulations, Randal says. Worse still, many thought they were in compliance when they actually weren’t.  “Many don’t have a good sense of what’s expected of them and how to comply.”

While regulated entities should get some sympathy for having to grapple with sometimes vague regulations, they still have to find ways to comply, Randal notes.

Making matters more complicated, Randal adds, is that there is a lot of “misinformation” out there in cyberland about what constitutes compliance proven reporting procedures.  Chatter and informal “advice” on the Internet is only adding to the compliance ambiguity faced by many regulated entities.

But there is some relatively good news, Randal says. The new CIP 010 and 011 standards are “more specific and helpful, but we’re still not there yet.”

Progress not perfection, as they say.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey, Regulatory Tagged With: , , ,
« Older Posts
Newer Posts »