By Rich Heidorn Jr.
WASHINGTON — NERC CEO Jim Robb is a chemical engineer who learned the electric industry as a McKinsey consultant in California in the 1990s.
“So I learned the industry much more from a business and strategic angle than coming up through technology, operations and planning,” he said Thursday during an hourlong press conference scheduled to mark six months on the job for Robb, who was previously CEO of the Western Electric Coordinating Council. (See NERC Names WECC Chief to Top Post.)
“I’m … not an electrical engineer. … I’m never going to present myself as the smartest guy in the room on any technical topic,” he said. “I think the reason the NERC trustees chose me for this job was my ability to put the right set of people together to work on the right set of issues at the right time.”
Robb, who was tapped to replace long-time CEO Gerry Cauley, met with the press at NERC’s D.C. office, which houses about 30% of the organization’s employees, including its legal, enforcement and communications staffs and the Electricity Information Sharing and Analysis Center (E-ISAC). Robb said he spends most of his time at NERC’s Atlanta headquarters but visits D.C. about three or four times a month. (See related story, NERC Chief Sees Need for Inverter, Fuel Assurance Standards.)
Robb said NERC has a good foundation, citing the long-term strategic plan developed over the last 18 months and its four-year effort to transition to a risk-based approach, the Reliability Assurance Initiative (RAI).
The RAI initiative moved NERC away from the “one size fits all, check the box” approach of the past, Robb said.
Instead of auditing all registered entities on a three-year cycle, NERC and its Regional Entities are focusing on the most critical standards. NERC also has identified about 20% of its requirements as candidates for retirement.
NERC is also narrowing its focus on the entities that present the biggest risks to the system, based on their scale, location and the neighbors with whom they are connected. The organization’s staff now has power to change their audit scope on site if they encounter unexpected issues.
“It’s much more tailored to the individual company, its risk posture and its historical performance,” Robb said. “I think when we first rolled this out, industry thought, ‘This is great. This is going to be much less [regulation].’ And in fact, the experience has been all over the board. There’s some entities that would say, ‘Boy, we’re seeing a lot more of you than we’d like.’ And there are a few that we have had a much lighter touch on.
“We have to maintain rigor at all times. While we’ll disproportionally focus our time on and attention on the key risks and issues of the moment, we can’t lose sight of all the other stuff that goes on,” he added, mentioning criticism the Federal Aviation Administration received over its inspection practices in April following a fatal Southwest Airlines engine failure caused by cracked fan blades. “I don’t want to go through that,” he said.
Among Robb’s priorities are improving the consistency in how standards are implemented across regions, long a source of industry complaints, and improving the work of the ISAC.
The ISAC effort is being led by Bill Lawrence, a NERC veteran who led the GridEx IV exercise in 2017. Lawrence was appointed in August as chief security officer, replacing Marcus Sachs, who resigned last December. RTO Insider reported that Sachs was forced out because of concerns by industry officials on the Electricity Subsector Coordinating Council (ESCC) that he lacked the background to lead the ISAC’s planned expansion. (See NERC Parts Ways with Chief Security Officer.)
“The ISAC really has not performed up to expectations,” Robb said. “Over the last couple years we, and the Electricity Subsector Coordinating Council’s Member Executive Committee, worked with Bill and others to put real rigor around the strategic role of the ISAC. … The ISAC is really designed to [provide] a service function for the industry. It’s not meant to be an idea lab.”
Robb said the ISAC faced challenges in “sanitizing” confidential information it receives and converting it to actionable intelligence.
The ISAC will double its staffing to “build [a] very strong analytical capability” and create a 24/7 watch operation, Robb said. The ISAC is now staffed only during normal business hours, although there is a NERC officer on duty around the clock.
The Cybersecurity Risk Information Sharing Program (CRISP), which is funded by industry and the Department of Energy and managed by the ISAC, is now monitoring utilities representing about 75% of electric meters to identify hackers seeking to penetrate the companies.
“The risk of a major outage as a result of one of these [attacks] is very low — but not zero,” Robb said. “And given the havoc that would result, we need to always be vigilant and staying way ahead of the curve, and I think we are. I think our system is designed with so much security built in, through the standards, through the isolation of operating systems from enterprise systems, that it would be very, very unlikely that a foreign entity or a malicious actor of any type would be able to create a catastrophic kind of cascading issue on the grid. Not zero, but very unlikely.”