In May 2, 2006, the NERC board of trustees adopted the Critical Infrastructure Protection Cyber Security Standard. This article provides some answers to questions in the form of security program...
Too Much Reliability
NERC confronts a case backlog now numbering in the thousands.
FERC’s recent technical conference on electric reliability, compliance and enforcement didn’t really get cracking until well into the second hour. That’s when Gerry Cauley, president and CEO of the North American Reliability Corp., confirmed that of nearly 5,500 possible standards violations identified by NERC since its official inception in 2006 as the nation’s electric reliability czar—an average of 30 new cases per week—some 3,000 remained open and unprocessed.
But it remained for Steve Naumann, testifying a few minutes later as Exelon’s V.P. for wholesale market development, to put numbers into context for FERC and attendees at the mid-November conference:
“Input minus output equals accumulation,” he said, referring to a formula he said he learned in engineering school.
“That concept applies to filling a bathtub, to carbon dioxide in the atmosphere, and to the processing of NERC violations.
“Whether we refer to the difference … as case load or backlog, there is an accumulation issue with NERC violations and the trend is upward” ( see Figure 1 ).
Imagine the inefficiency that attends such a backlog. Daniel Skaar, president of the Midwest Reliability Organization, one of NERC’s eight delegated regional enforcement entities, testified that his agency sometimes ends up prosecuting a utility or other industry respondent for a violation occurring three years in the past, which the respondent actually mitigated two years earlier by correcting its compliance policies.
And with FERC only now beginning to address problems that come with integrating wind or solar into the grid, the situation might only get worse.
In July of last year, at a reliability “summit” held at FERC to discuss how standards get developed, Commissioner Philip Moeller speculated on how intermittent resources would affect NERC’s efforts at reliability enforcement:
“This is the going to be a big issue… I see the trend as something that can perhaps swamp us.”
WECC CEO Louise McCarren put on a brave face at the July summit: “In the West we’re already seeing a significant trending down in violations.”
Yet two months later, in its order assessing NERC’s three-year performance, FERC noted that McCarren’s Western Electricity Coordinating Council had been cited by NERC as one of its “less-effective” regional enforcement entities, and in fact had cancelled all compliance audits for fourth quarter 2008 without even consulting NERC ( Dkt. RR09-7, Sept. 16, 2010, 132 FERC ¶61,217 ).
Cauley himself conceded in November that while NERC’s current caseload was likely “transitional” (the original wave having crested), a new wave of violations related to cyber security was “still building.”
Commissioner Moeller drilled down in November in a question he posed to Stacy Dochoda, general manager for the NERC’s SPP regional entity:
“Stacy, did I hear you right that the average employee takes a month to handle each violation, even with a zero-dollar penalty?”
Dochoda replied that initially, it took even more staff time to complete a no-penalty case, since “you have to justify it.”
Drawing FERC’s attention to a