by Susan Kraemer, Solarplaza
Renewable energy companies have ‘serious lack of knowledge’ about Federal requirements to protect critical infrastructure assets.
The solar industry is not as prepared as it needs to be to meet upcoming standards from the North American Electric Reliability Corporation (NERC).
Eric Whitley, founder of power system consultants GridSME, said US renewable energy developers are not paying enough attention to NERC’s Critical Infrastructure Protection (CIP) standards.
Intended to protect the grid from cyber terrorism, the latest iteration of these rules from NERC, a quasi-governmental institution overseen by the Federal Energy Regulatory Commission (FERC), will come into effect on April 1, 2016.
"We see both wind and solar entities having a serious lack of knowledge, basic understanding and appreciation as to what is required under the NERC regulatory framework," said Whitley.
"We've seen entities that haven't even registered with NERC, and that's a big deal. We have seen a great reluctance and almost an indignation that they are being pulled in because ‘they're solar, they're renewable, they're different’.”
Whitley said it has been a challenge to “ensure that entities really understand the grid infrastructure they're joining, and that these rules apply to them."
Whitley's consultancy helps solar firms become compliant with the standards, both in terms of documentation and the systems required to maintain compliance.
But increasingly, he said, his practice has simply been increasing awareness through presentations to get senior-level executives to understand the regulatory risks they face for ignoring NERC.
The US takes the threat of cyber terrorism against critical infrastructure very seriously.
There are fines for non-compliance that can potentially reach $1 million a day for each violation under CIP standards, which have about 230 requirements under each one of nine security categories.
These ever-evolving versions of the CIP standards define exactly how industry must protect the grid against massive disruptions under Section 215 of the Federal Power Act.
These standards are meant as a ‘floor’ from which to build greater cyber security platforms.
The most recently approved version of the standards, Version 5, will extend the scope of the systems that are already protected by the CIP reliability standards, and adopt new cyber security controls.
There are two veins of regulatory standards; FERC Order 693, covering planning and operations, and the NERC CIP standards (Versions 1-5), protecting critical infrastructure.
Triggering thresholds (75 MW, 1.5 GW) are very important under the regulatory changes in CIP Version 5.
Any site that exceeds 75 MW is in scope for registration and requirements for NERC mandatory standards under FERC Order 693 and some of the CIP standards.
FERC order 693 standards cover operations, maintenance and record-keeping of grid assets, and span areas from keeping voltage and frequency levels stable to managing vegetation to ensure power lines don’t come into contact with trees.
Any single site (or group that can be determined a single site) that exceeds 1.5 GW would also be in scope for CIP Version 5 standards.
For example, a control center that operates generation for an aggregate megawatt value of greater than 1.5 GW in a single interconnection is in scope for some 693 standards and all of the CIP Version 5 standards.
"Any company should understand that their SCADA [supervisory control and data acquisition] architecture, access to systems, and how they perform IT and security maintenance will fall in scope if they meet threshold criteria levels,” Whitley said.
“Lacking awareness or understanding often requires costly network re-architecting to become compliant.”
Adhering to CIP Standards will mean that access to all applicable systems as well as employee activities will require much greater oversight and security measures.
For example, extensive employee background checks as well as rigorous cyber-security training will be required, along with dedicated staff and executive sponsorship to set the culture of compliance and manage regulatory risk.
Reliability and security measures were originally made mandatory in 2005, after a massive Northeast blackout in 2003. Congress amended the Federal Power Act in 2005, making industry reliability standards mandatory and enforceable by NERC.
But events such as an April 2013 PG&E substation shooting resulted in additional standards on physical protection for high-risk substations.
Whitley emphasised that generation operators that have recognised and adhere to the standards and the necessary controls will have an advantage over those that do not.