In the wake of recent global-scale cyber intrusions, security concerns have expanded from being compliance and operational issues to fundamental risk management considerations. An integrated,...
Cyber Attack! - Defining 'Critical Assets'
ERCOT utilities approach CIP compliance from varying perspectives
vulnerable and critical assets, Oncor turned its transmission system planning and reliability experts loose to perform what it called “consequential studies.”
“Our transmission planning group conducts N-1 studies regularly to ensure the highest possible system reliability,” says Steve Martin, TMS project manager with Dallas-based Oncor, a subsidiary of Energy Future Holdings (formerly TXU Corp.) “These are heavy-duty reliability guys. They do N-1 studies in their sleep.”
The methodology evaluates a wide variety of scenarios, ranging from a cyber attack or outage affecting a single substation, to a series of substations, and the effect each would have on other assets, the service area and region. Each scenario revealed whether an attack could be isolated, or could spread quickly throughout the Oncor power grid.
“I suspect quite a few utilities are doing it this way. Rather than performing thousands of voltage-stability studies, we saw it as a calculation issue,” Martin says. “The problem is you can’t predict what state the (bulk power) system will be in when the event occurs.”
Oncor’s methodology proved most valuable when applied to the off-peak maintenance season—when equipment is being changed out, or certain generators are shut down for a planned outage. “During the peak-load season all the best generators are available and there aren’t any planned equipment outages,” Martin says. “But either way, it’s impossible to model every possible scenario.”
On the smaller end of the scale is the city of Garland, Texas, a municipal utility that operates three gas-fired generating plants, 133 miles of transmission lines and serves approximately 68,000 customers.
“We did most of it a year ago,” says David Grubbs, transmission manager for Garland. “The CIP is fairly clear in terms of what physical assets you should look at. You’ve basically got a checklist to go by ( see sidebar, “Critical-Asset Checklist” ). We’re using steady-state load-flow analyses, which basically show how overloading one asset will affect the others.”
But the guidelines can get a bit hazy, even for a comparatively small entity like Garland.
“The way I read it, if you have two computers three feet away from each other in a critical location and they communicate with each other by router protocol, that triggers the cyber security rules—even if the wire connecting the two never leaves the room. To me, that’s overkill,” Grubbs says.
Further, the standards do not apply to assets operating at the 69-kV level. That’s a problem because Garland relies on neighboring municipal Greenville Electricity Utility Systems’ 69-kV peaking unit for black-start support.
“A lot of black-start units are 69 kV because they’re smaller and easier to start,” Grubbs explains. “Greenville is designated to bring up our units if a blackout occurs. But they’re not considered critical under the CIP standards, even though their system is obviously critical to us.”
Fortunately for Garland, Greenville has begun applying the standards to its system as well, even though it’s not legally required to do so. “Actually if we all go dark, I can’t start our peaking generator without my diesel generator, so that’s the real critical asset,” says Greenville Power