Thursday, February 21, 2019

NERC: Despite Solid 2016, Grid Threats Remain

By Rory D. Sweeney

The North American grid was very reliable in 2016, but threats are increasing and restoration from a total system collapse could prove time-consuming, two recent nationwide studies found.

NERC last week released its annual analysis of the grid’s performance, which found that while 2016 ranked as the second-most reliable year on record, threats to the system — particularly on the cybersecurity front — are on the rise.

The revelation adds weight to a recent joint FERC/NERC report that found that recovery of the bulk power system (BPS) from a blackout could be a lengthy and resource-consuming process if supervisory control and data acquisition (SCADA) and energy management system (EMS) functionality are also lost. The report was based on responses from eight industry participants who provided information for the study.

NERC cybersecurity


The system’s cumulative severity risk index (SRI) for 2016 is second only to 2011 since the metric began being tracked in 2008. Breaking it down by each BPS component, unplanned generation unavailability accounted for the vast majority of cumulative SRI, which the report said is typical. Transmission loss made up about a fifth of the total, and load loss was relatively minimal.

“No single component shows a significant step change for any given day,” the NERC report says. “The performance within each segment proves to be very stable.”

James Merlo, NERC’s senior director of reliability risk management, said that 2016 was the second consecutive year in which no daily SRI broke the top 10 most severe days on record, despite days with severe weather. This indicated that the BPS is becoming increasingly resilient to severe conditions, he said.


Merlo reported that overall transmission outage severity was reduced year over year. For the second consecutive year, there were no Category 4 or 5 events — the most severe — and only two Category 3 events.

Still, outages caused by human error last year increased to 2014 levels after falling in 2015.

“While no increase in outage severity was discovered, human error remains a major contributor to transmission outage severity and will remain an area of focus,” the report said.

However, the misoperation rate continued a four-year trend of decline across North America. Misoperation events have the highest correlation with the most severe outages.

Frequency response, what Merlo called the “heartbeat of the grid,” is “looking good,” he said. It remains flat or improving across the continent. He said frequency response becomes “different” but not necessarily harder with the influx of intermittent resources on the system.

He also reported that no load was lost to physical or cybersecurity attacks but noted that such attacks are increasing.

“It’s a positive finding, but I think we all know that we’re going to have to give our attention in this area based on the risk increasing every day,” he said.

The report highlights National Institute of Standards and Technology data that indicate high-severity cybersecurity vulnerabilities are consistently increasing. However, vulnerabilities increased 23%, while incidents increased 38%.

NERC cybersecurity


“Vulnerabilities are increasingly being successfully exploited, [which] reinforces the need for organizations to continue to enhance their cybersecurity capabilities,” the report says.

The threat was further accentuated in the joint report from FERC and NERC, which found that all participants would remain capable of executing their restoration plans without SCADA/EMS availability by leveraging redundancies. However, the process would be more complicated, take more time, require more resources and rely much more on “interpersonal” communications.

“Participants indicated that system restoration steps [that] involve additional communications and coordination with multiple personnel, such as load pick-up, will be more labor-intensive in the absence of SCADA or EMS,” the report said.

The report recommends utilities ensure the effectiveness of backup communications systems and incorporate that into emergency training, including determining the manpower and tools necessary to collect information and maintain operational awareness without SCADA.

“Participants expected that dependency on interpersonal communications would significantly increase in performing system restoration in the absence of SCADA, and that any unavailability of interpersonal communications would further hamper system restoration,” the report said.

It also recommended considering the shelf life of onsite fuel for backup generators and backup area control error applications.

Participants reported that their emergency procedures were flexible and robust enough to handle a wide range of changing circumstances. All plans involve development of multiple restoration paths and islands.

“If a SCADA system(s) is still unavailable as system restoration progresses, the participants may adjust their restoration strategy accordingly, e.g., restore areas within the reliability coordinator footprint but remain operating as separate islands within the reliability area, holding off synchronizing to form a larger island and/or interconnecting with the rest of the interconnection, thereby reducing the risk of an outage to a larger restored area,” the report said.

In the event of a cyber event that disables SCADA or EMS, participants indicated it would be more reliable to remain islanded “until associated risks are alleviated” in order to avoid repeated widespread blackout.

The increased reliance on interpersonal communications did raise concerns about satellite and cellular phone functionality during emergencies, as usage by other organizations would undoubtedly increase, limiting available bandwidth and exacerbating voice delays.

Most participants stressed the importance of owning and maintaining their own backup wireless systems for emergency field communication — a practice followed by all the participants.