May 17, 2012

Posts Comments

You are here: Home / Archives for Electric Reliability

NERC Is Getting Serious About Financial Penalties

February 28, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

As is evident by the latest round of financial penalties (February 23, 2011) from NERC, the time for forgiveness is over. $1,145,500 in financial penalties were handed down to 24 organizations according the latest statistics — and none were zero dollar fines.

With penalties ranging from $3,000 all the way up to a whopping $450,000, and with the average penalty at just under $48,000, now is the time to ensure that your NERC compliance program is tightened down.

In the past, we have stressed the importance of training your staff; testing your various procedures as well as maintenance programs for completeness and accuracy; and, using different methods and methodologies to ensure your NERC compliance program is complete and ready to be audited by your Regional Entity and/or NERC at a moment’s notice.

So, with that said, let’s go back over a check-list of the areas that you will need to ensure are addressed in order to keep from having your organization’s name listed on the NERC Enforcement Actions Web page.

The following list is in no particular order, so don’t think you need to follow this in chronological order.

  • Internal Compliance Program (FERC Required — FERC released a guidance document on this back in 2008 — use it!)
  • Pandemic (Critical Assets Only — Use the CIKR documentation on the DHS website as guidance)
  • Facility Ratings Methodology (it better be more than one or two pages — ours average 39 pages)
  • Maintenance and Testing programs for PRC-005 (don’t forget to include the basis for your testing AND the intervals — if in doubt, use the ANSI or IEEE standards as your basis)
  • CIP-001 training for your staff (having your staff sign a piece of paper that they may or may not have read isn’t going to cut it, use a real training program)

This is a partial list of what needs to be addressed so that you don’t become a statistic. As I stress to our clients, don’t overlook anything. If in doubt, ask someone who knows what they are doing and preferably someone who has been down the audit path before. Always remember, just because you passed your last audit, doesn’t mean you are going to pass your next one. Stay alert, stay focused and above all, stay calm, it’s not as bad as it seems.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , , , ,

Weighing Pros and Cons of Energy Storage Technologies

February 24, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

Last time we made the argument that advanced energy storage has a demonstrable track record of positive environmental and economic benefits. Now let’s look at some of the energy storage technologies available in today’s marketplace:

Dynamic Power Resources (DPR)

  • Ramp Rate Control: DPRs monitor output from a renewable generation source on a microsecond basis and automatically responds by either absorbing renewable output or supplying additional power so that the grid receives smooth, clean power at a desired MW/minute rate.
  • Firming/Shaping: Coupling a DPR with a renewable generation forecast allows the utility to organize other generation resources to meet expected demand based on its guaranteed day-ahead renewable output schedules, as well as reshape output to deliver power during peak demand times regardless if the renewable asset is generating power or not.  If a forecast is inaccurate, the DPR automatically supplies or absorbs power on a microsecond basis to ensure the day-ahead output schedule is met.
  • Curtailment Mitigation: if there are times when the utility needs to curtail renewable output, the DPR can take advantage of all of the as-available fuel by storing curtailed power and redistributing it at other times throughout the day, whenever the grid needs excess energy.
  • Ancillary Services:  the speed and accuracy of the full four-quadrant DPR are unparalleled to that of typical generation resources.
    • Voltage Support: the DPR has the ability to supply and absorb reactive power (VARs) while simultaneously supplying real power (Watts). This allows the system to maintain a target power factor while continuing to provide other functions that require real power management such as services mentioned in this section.
    • Frequency Regulation: the DPR can respond to both AGC signals and/or frequency deviations with sophisticated control algorithms to help maintain nominal grid frequency. The DPR is capable of providing the frequency support during loss of generation or system disturbance, as well as address less severe frequency deviations due to normal grid operations throughout the course of each day.
    • Spinning Reserve: the unique sizing scheme of the DPR allows the customer to add more energy storage (MWh) and act as a back-up power reserve for extreme generation trip scenarios by providing power while offline generation units ramp up to replace lost generation.
  • Transmission and Distribution Upgrade: Deferral: instead of undertaking costly T&D upgrades, utilize DPRs to supply power for incremental increases in load, as well as to enhance grid reliability for weak and/or congested T&D lines.
  • Peak-Shaving/Load-Leveling: Similar to ramp rate control, but for longer periods of time, a DPR can absorb and provide power, charging during off-peak times for use during on-peak times. Peak loads are lessened, which ultimately enables traditional generation to run more efficiently.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Energy Storage Delivers Financial, Environmental Benefits for Power Entities

February 22, 2011 By 2 Comments

James Holler, Founder, Abidance Consulting

Advanced energy storage has proven that it delivers significant environmental and economic benefits as well as superior Bulk Electric System (BES) reliability. Let’s look at some of its key benefits:

Reduces the Need for Reserve Power Plants: Electricity storage technologies provide effective methods of responding to daily fluctuations in demand. Electricity produced at off-peak hours is now capable of being stored and used later to meet demand spikes, thereby reducing the need for expensive, aging, and carbon emitting fossil-fired reserve generation plants.

Cuts the Cost of Power Failures: As a result of the aging U.S. electricity grid, the DOE estimates that electricity outages and interruptions cost the U.S. approximately $150 billion annually.  Electricity storage technologies can provide power to the grid to “bridge” gaps and smooth out short-term fluctuations until backup generation sources can be brought online.

Boosts Renewable Energy Integration: Wind and solar power are the two largest sustainable sources of carbon-free natural resources. But both are intermittent, varying widely in the energy that they can provide at any one time during the day due to fluctuation in the wind patterns and intermittent cloud cover for solar panels. Power storage technologies can smooth out this variability and allow unused electricity to be dispatched at a later time when it is needed at peak times. In addition, paired with renewables, energy storage can provide regulation services such as ramp control, curtailment mitigation, firming/shaping of power and other grid reliability services.

Currently there are about six energy storage technologies available in the market today: pumped hydropower, batteries, compressed air energy storage, flywheels, superconducting magnetic energy storage, and electrochemical capacitors.  Solid state battery technologies are suited to quick, modular, scalable deployments with few environmental risks. We’ll survey each in our next blog tomorrow.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: James Holler Tagged With: , ,

Fact, Fiction or Just Good Old Fashioned Nonsense – EMP Speech From FERC Conference

February 10, 2011 By Leave a Comment

James Holler, Founder, Abidance Consulting

On February 8, 2011, FERC hosted a conference dealing with the security of the nation’s grid. I really wish I had been there so I could have called a lot of these people on the carpet about the garbage they were spewing forth! One of the “Chicken Little’s” that took time to try and scare people, Avi Schnurr of the Electric Infrastructure Security Council (EISC), gave a doomsday scenario without any language on how to prevent or recover from an EMP event.

If Mr. Schnurr had wanted to add any value to his speech, which by the way, was based on test data from 45-50 years ago, he would have stated that there is a fix for EMP events called a Faraday Shield. Mr. Schnurr could have continued on and told everyone that Faraday Shields are so common that they are used in everyday items such as cell phones, microwave ovens and even LCD televisions. The technology to fix the issue(s) stated by Mr. Schnurr has been around for more than 50 years.

When an individual or company gives you bad scenario after bad scenario of what will, and not what might occur, and not give a single example of a solution of even a hint of a solution, one should ask themselves what is this person’s ulterior motive?

It is solely my opinion that the only purpose Mr. Schnurr served was to scare the power industry into calling on the EISC for assistance — for a hefty fee I am sure. I could be wrong, but I doubt it. I have seen too many “snake oil salesmen” in my time.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Risk Management Tagged With: ,

Skilled Social Engineers Threaten Your Proprietary Data

January 17, 2011 By 1 Comment

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Security Tagged With: , , ,

It’s Time To Check Your CIP-009 Mandated Business Continuity Plan

December 27, 2010 By 2 Comments

James Holler, Founder, Abidance Consulting

It’s probably time to revisit your Business Continuity Plan(s) required under CIP-009.

Why? Because you’ve got less than a week until most facilities deemed to be Critical Assets have to be auditably compliant with the NERC CIP rules.

Around the country, natural disasters and man-made incidents and attacks have directly disrupted business operations across the power and utility industries. Having a definitive plan and response technique is essential to remain viable, especially in today’s rough economic climate.

Good continuity planning is vital to any critical industry. However, a rise in service interruptions due to natural disasters and other activities has underscored the need for business continuity plan development and maintenance. Even if you have completed your planning, you may want to revisit your plan one last time before you self-certify your compliance. One of the major areas that is not being addressed in most Business Continuity Plans are topics that were not of any significant concern until very recently, such as terrorist activities, Aurora events and surviving a pandemic flu.

We’ve talked with several regional auditors recently, and they suggest that the regions are looking for registered entities to directly address these areas in the Business Continuity Plans. Several registered entities have recently suffered monetary fines for failure to include these areas in their plans.

Our discussions with the regional auditors also suggest that roughly 70% of the Business Continuity Plans that were reviewed were not deemed adequate. Unfortunately, this suggests that registered entities are not carefully planning their strategies or they do not have a firm grasp of what is required for a comprehensive plan. Either way, the regional auditors are not going to be so forgiving next year as registered entities begin to certify that they are compliant.

As you wrap up 2010 and prepare for the new regulatory world in 2011, it’s time to review your plan again or have a specialist in this area review it and make the necessary modifications so that you are truly auditably compliant.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler, Regulatory Tagged With: , ,

NERC Compliance Could be Tougher in 2011

December 16, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

As one year winds down, let’s peer ahead to see what compliance “surprises” could come from our friends at NERC in 2011 and beyond.

We all know there are no guarantees that there won’t be any “surprises” next year or beyond. What we, as an industry, do know is that there is going to be a new version of the CIP requirements that will cause most, if not all, registered entities to become a low, medium or high impact critical asset. This change will require registered entities to prepare new policies and procedures as well as implement a series of fail-safes to protect the facility from a physical and/or logical intrusion.

Beyond the revised CIP requirements on tap, there is no telling what the compliance future holds in store for us. This past year there have been multiple NERC Alerts issued that would have affected a majority of the registered entities to some extent.

Then there was AURORA, a big NERC Alert that did affect the current status of many registered entities. As you may know, this alert was issued in October and gave registered entities only a few weeks to respond to NERC.

Next year may have a similar number of Alerts issued, there is no way to determine what may or may not affect you until the Alerts or directives are issued either by your region, NERC or even FERC. One way to stave off any unforeseen expenses, including some of the ones registered entities incurred this year, is to outsource all of your NERC compliance efforts for a fixed fee via a Master Services Agreement (MSA) to either an internal corporate division or to a competent consulting firm. In either case, whomever you outsource your compliance efforts to must be fully adept at both CIP and Reliability Standards. This outsourcing could, in effect, negate any unforeseen expenses for consulting and other initiatives since all NERC Alerts, etc. would be covered.

In addition to helping you prepare for and handle a prospective audit, your consultants should also be responsible for keeping you compliant at all times, filing the appropriate self certifications, self reports, updating all policies and procedures to reflect any changes that may occur and also to address all NERC Alerts and new requirements that affect you.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

Beware the NERC CIP Consultant Spreading Rumors

December 13, 2010 By 1 Comment

James Holler, Founder, Abidance Consulting

I’ve noticed a new and troubling trend recently: There are a few consultants and firms using scare tactics to scare potential clients into becoming paying customers. Many of these consultants use misinformation and half-truths to spread their fear mongering on social network sites such as LinkedIn. Unless FERC, NERC or one or more of the eight Regional Entities has been directly quoted, naming the source, or if you can’t confirm comments or statements by a consultant, it is recommended that you contact these organizations for confirmation.

A good example of this is that there is a consulting firm spreading wild rumors and accusations around that there is going to be a CIP version 5, with set of rules that is radically different than what is in place now. Well, having spoken to Commissioner Spitzer’s office at FERC, there are no immediate plans for a version 5 of the CIP requirements. Version 4 has not even been approved by FERC, therefore, FERC can’t even contemplate when or even if there will be a version 5 of the CIP requirements.

Some members of the Standards and Development Team that is working with NERC to create the various CIP rules and changes is made up of a team of industry experts – some more knowledgeable than others – that create the modifications or new requirements. These are then put out for vote by the industry. If they are approved, then the CIP requirements are presented to FERC for their approval. More times than not, FERC will refer the presented rules back to NERC for modification or makes requests for clarity and guidance. The Standards and Development Team is not the defacto word in the CIP requirements, FERC is.

To sum up, don’t believe everything you read or hear. I do recommend that you get independent verification from FERC, NERC or your Regional Entity. If the consultant is using scare tactics to get you to sign a contract, they are only interested in making a quick dollar and do not have your best interests in mind. There are literally hundreds of people on the Standards and Development Team, so if someone touts that they are on the team, that’s nice…so are many others and they aren’t going around using scare tactics to get you to sign on the dotted line. My best advice is to do your due diligence before you jump simply because someone told you the sky is falling.

James Holler is founder of Abidance Consulting.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, James Holler Tagged With: , ,

NERC Requires Aurora Compliance by All Registered Entities

October 25, 2010 By 2 Comments

James Holler, Founder, Abidance Consulting

If you run SCADA/EMS data exchange networks and are located 1 substation away from a generation plant then the Aurora vulnerability should be on your mind considering the latest NERC Alert. The CIP Standards will not help you out of this vulnerability; neither will “normal” protection schemes. Idaho National Laboratory (INL) blew past those in seconds with time to spare, just like a well trained adversary will (see video below). Since that time, there are many small and midsized entities that are vulnerable as vectors to allow an adversary the ability to reproduce this catastrophic physical failure on a grand scale.

The vulnerability in a nutshell is that by physical or cyber means an adversary gains access to the breakers up to three substations out from a generator and ‘bangs’ it out of phase. By how much out of phase is still something of a mystery to many who are not protection systems engineers or generator folks. Suffice it so say that they are very aware of the worst case scenario of phase alignment problems. Aurora creates this in a split second. One second your generator is humming happily and then next it has broken couplings and a mangled shaft. It leaves you scratching your head and putting out fires.

There is hope and now a reason to get this problem fixed. The first step in doing this is to create an inventory, the second is getting your best protection people, cyber folks and substation folks together to see what ingress point you have to your substations. Next is cutting off the “pipe”. If you are running modem access to your RTU’s you need to stop it. This is not good business practice unless you have encryption and password protection. Also of note are the engineering access points. If you have the access points set up on a VPN, you might have allowed split tunneling which is not a good idea. Last but not least is that entities need to start talking amongst themselves.

If you are a registered entity then you should be talking to whoever owns the next substation out from your onsite substation to see what they are doing to protect your assets. This affects most registered entities to some extent.

In order to comply with the NERC requirement you will have to create a mitigation plan and continue reporting to NERC every 6 months until you have mitigated this issue.

A complimentary Webinar “NERC AURORA Compliance: Are you Ready?” will take place on November 11, 2010. You can register here.

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: James Holler Tagged With: , , ,

NERC Adds Heavier Fines, CIP Violations to Latest Enforcement Actions

October 18, 2010 By Leave a Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

NERC is mad as hell, and they’re not going to take it anymore.

Okay, maybe that’s stretching it a bit, but take a look at their latest batch of tougher enforcement actions that hit some regulated entities with some heavy penalties.

Former cyber security specialist in FERC’s Office of Electric Reliability Randal Blanchette believes the upswing can be partially attributed to the simple fact that more and more entities are being audited for CIP-002 through CIP-009 generally.  “There are also more complexities [for companies to comply with] as newer revisions come out,” he adds. We’ve talked to Randal before about confusing NERC  regulations.

But Abidance Consulting’s James Holler says NERC is “flexing its muscle a bit.” They’ve been “nice” to regulated entities up until now, “but now they are saying it’s over.”

He noted a lot of six figure fines among this recent slew of penalties. “Those who didn’t take NERC seriously better start doing so now.” NERC observers tell us that in the past, few NERC citations carried a price tag for regulated entities. “We gave you a break and you took advantage of it,” is Holler’s view of NERC’s new attitude. “Some of you were slow to get your compliance programs in order and NERC wants to show they mean business now.”

TwitterFacebookDiggDeliciousTechnorati FavoritesEmailPrintFriendlyShare
Filed Under: Electric Reliability, Michael Causey Tagged With: , , ,
« Older Posts
Newer Posts »