NERC says cyber attack risk is growing, but no power outages yet
There were no reportable cybersecurity incidents in 2016 and, therefore, no events that caused loss of load
There were no reportable cybersecurity incidents in 2016 and, therefore, no events that caused loss of load, according to the North American Electric Reliability Corporation's (NERC's) "State of Reliability" report for 2017.
While this indicates NERC’s efforts with industry have been successful in isolating and protecting operational systems from various adversaries, this does not suggest that cybersecurity risk is low. Threats continue to increase and are becoming more serious, according to NERC.
Recognizing that risk management and determining appropriate and meaningful security metrics is difficult, the NERC Critical Infrastructure Protection Committee (CIPC) and NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) have developed a roadmap for future metrics development, including refining the initial set of metrics that are based on operational experience. The roadmap addresses consideration of the challenges associated with collecting security-related data:
· Historically, NERC and the E-ISAC have limited data related to cyber and physical security incidents as these incidents have been relatively rare and have had little or no impact on BPS reliability.
· The magnitude or number of constantly changing security threats and vulnerabilities is not known with any degree of certainty, particularly as they relate to BPS reliability.
· The number and type of cyber systems and equipment used by the industry is vast, making it difficult to develop metrics that are meaningful to individual entities across the industry.
· Data that details security threats, vulnerabilities, and real incidents is highly sensitive. Handled inappropriately, vulnerabilities could be exposed and new and more sophisticated exploits developed.
The CIPC has researched security metrics developed by leading experts outside the electricity industry and examined more than 150 of these to assess their applicability from a BPS reliability perspective. The CIPC concluded that about 30 of the 150 would be relevant. This assessment underscores the challenges associated with developing relevant and useful security metrics that rely on data willingly and ably provided by individual entities. The NERC E-ISAC and CIPC continue to investigate potential new physical and cybersecurity metrics.
While the key findings, data, and information in this report are presented independently, they are cross-cutting and demonstrate interdependencies between many of the issues that present unique challenges to the electricity industry. These risks must be strategically monitored and mitigated in order to preserve the reliability of the BPS. NERC’s State of Reliability 2017 report provides a basis for understanding and prioritizing these risks and, more importantly, how these interdependent challenges require ERO-wide coordination to effectively mitigate these risks.
While the misoperation rates for some regions increased in 2016, the overall NERC 2016 misoperation rate is lower than last year (from 9.5 percent to 8.7 percent), continuing a four-year declining trend across North America. For the first time, the WECC Region’s overall operation count was collected, enabling the Western Electricity Coordinating Council misoperation rate to be developed for the last two quarters of 2016 (calculated to be 6.0 percent). Using this newly acquired WECC data results in the collective NERC misoperation rate’s reduction to 8.3 percent for the measured 2016 year.
Three of the four interconnections showed overall improvement while the Québec Interconnection frequency trend moved from declining to stable. No interconnection experienced frequency response performance below its interconnection frequency response obligation.
Frequency response for all four interconnections improved during the 2012–2016 timeframe. Adequate frequency response arrests and stabilizes frequency during system disturbances. The addition of a large number of variable energy resources (VERs) onto the BPS has resulted in the need for operational flexibility to accommodate demand while also effectively managing the resource portfolio.
This metric should continue to be monitored as the rapidly changing resource mix presents a potential challenge to frequency response,8 one of the essential reliability services. ERSs are comprised of primary frequency response, voltage support, and ramping capability, all needed for the continued reliable operation of the BPS. As VERs are becoming more significant, NERC is developing sufficiency guidelines to establish requisite levels of ERSs, frequency response being most notable in this case.
Additionally, increasing installations of distributed energy resources (DERs) modify how distribution and transmission systems interact with each other. Many system operators currently lack sufficient visibility and operational control of these resources, increasing the risk to BPS reliability.
This visibility is a crucial aspect of power system planning, forecasting, and modeling that requires adequate data and information exchanges across the transmission and distribution interface. The most significant growth in DER penetration is occurring in NPCC and WECC. NERC’s Distributed Energy Resources Task Force released their initial report in February of 2017.