Mandatory reliability standards put in place by NERC three years ago give reason for optimism concerning their success. But the organization struggles with standards development, compliance, enforcement and transparency.
The future challenges facing NERC are many and a review of current issues shows it is not yet time to conclusively assess the effectiveness of NERC or its mandatory reliability standards. NERC’s first Three-Year Electric Reliability Organization Performance Assessment Report (Three Year Report) since its appointment as the electric reliability organization (ERO) concludes optimistically that the regulatory process and the standards themselves have improved reliability.1 While one logically can conclude a mandatory system is more effective than a voluntary system, closer examination shows NERC struggles with standards development, compliance and enforcement, and transparency and uniformity of these processes. The good news is some solutions already have been identified in the Three Year Report and have been implemented. One truly can be optimistic about the future effectiveness of the mandatory reliability standards regulatory regime.
Most standards only became mandatory in 2007 and others, such as the Nuclear Plant Interface Coordination standard, won’t become effective until April 2010. Meanwhile, standards and guidelines are evolving and new standards are developing to address issues previously missed or new areas of importance. The long process to develop a reliability standards project, which requires an average of 21.7 months, necessitates additional and concurrent programs to assist with improving bulk power system reliability.2 In fact, the consensus-based standards process has been criticized as requiring consideration of too many diverse viewpoints, resulting in standards that don’t always effectively protect reliability.3 Guidelines and examples of excellence provide reliability assistance and might even close gaps in standards.4 The guidelines generally are applicable, while the examples of excellence are limited to specific situations.5 Both allow the industry to apply the methods that address its specific needs, thereby maximizing reliability performance. Furthermore, the guidelines allow flexibility to address emerging topics, such as installation of a smart grid. Before the standards became mandatory, pursuant to a directive from the Final Report on the 2003 Blackout (Final Report), another task force was assigned to identify best practices, which subsequently produced the 2005 Best Practices Task Force Report.6 The task force concluded, after a survey of best practices in other industries, that voluntary practices are worthwhile. However it concluded the term best practices doesn’t have a uniform meaning in the utilities industry.7 Instead, its 2005 Best Practices Task Force Report proposed as best practices non-mandatory operating guidelines that will function as a subset of the reliability standards. Sources of operating guidelines include the examples of excellence, former NERC operating guides, regional guides and surveys of operating practices. The task force recommended that the operating committee assign subcommittees to develop the guidelines and set a process for industry review.8 At that time, the reliability standards weren’t yet mandatory.
NERC continued to follow the 2005 Best Practices Task Force Report recommendations after the standards became mandatory in 2007. One such set of operating guidelines was created by the real-time tools best practices task force (RTBPTF), which the operating committee formed to identify “minimum acceptable capabilities and best practices for real-time tools necessary to ensure reliable electric system operation and reliability coordination.”9 Although it took three years of fact finding and analysis to produce recommendations, it occurred concurrently with mandatory standards development and included non-mandatory guidance. RTBPTF recommended 16 operating guidelines and the creation or modification of significantly more mandatory standards, indicating that the guidelines aspect of the regulatory regime is underused.10 The operating guidelines suggested implementing real-time tools, including visual tools, accurate data and reliability analysis, contingency screening criteria, and the minimum items necessary for actual and required operating reserves calculations.11
Other non-mandatory guidelines are found in the three-year cycle reliability readiness evaluation and improvement program, which evaluates the reliability readiness of balancing authorities, transmission operators and reliability coordinators.12 Examples of excellence are distinguishable from best practices in that the examples of excellence identified in the program are “notable, effective and feasible” examples that organizations should review to determine if they could be applied to improve their operations, while best practices are defined as the specific “singular best approach.”13 The examples of excellence cover topics as varied as cyber security, outage coordination and communication, real-time monitoring and system restoration. The downside of such explicit guidance is that the three-year cycle audits don’t necessarily identify the most current examples of excellence as the oldest examples posted on the Web site are from 2004 audits and the most recent ones are from 2008. Similar guidelines or examples of excellence would be helpful in the development and implementation of the smart grid. The smart grid is one of the most important developments facing the bulk power system today and also one of the most challenging.14 Some of the smart-grid challenges include increased automation and new communication paths. Currently, approximately 60 percent of North American control centers link to other utilities.15 Data sharing between control centers and reliability coordination is a positive development as it will improve operations and situational awareness. It is also negative, however, because the bulk power system’s vulnerability to cyber attacks increases with more information sharing, and greater potential is created for human error and automation weaknesses.16 Furthermore, structural smart-grid changes such as accommodations for plug-in electric vehicles, grid-connected distributed generation and renewable sources will affect the overall bulk power system in physical ways.17 These cyber security issues and physical changes to the grid will translate into new or revised mandatory standards.18
NERC is changing the formal standards for critical infrastructure protection (CIP), but also has issued draft guidance for categorizing cyber systems.19 The informal comment period for the guidance document ended in February 2010. As part of extensive revisions according to FERC Order 706, proposed changes to critical cyber asset identification in CIP-002-4 may replace terms such as critical assets and critical cyber assets.20 Instead, the cyber system and bulk electric system subsystem will be categorized according to their potential level of impact on reliable operation. Registered entities then will map systems according to the impact categories. The guidance document here could serve a crucial role as to the registered entities’ understanding of the new standard and how regulatory entities assess compliance.
The long NERC standards development process constitutes a basic logistical challenge, which can impede timely responses to security risks. It could be considered a minor issue in the pending legislation to give FERC more authority to deal with cyber security issues.21 The current standards development process simply can’t keep up with rapidly changing security situations. Besides legislative changes, another solution might be guidelines. For example, smart-grid guidelines have the potential to be more agile and capable of addressing immediate problems by not passing through the mandatory standards development process. While the real-time tools best practices task force engaged in fact finding for three years, guidelines can be developed within a shorter timeframe and with a less complicated process. Despite the lack of enforceability, the non-mandatory guidelines can assist with how a bulk power systems participant assesses smart-grid equipment as to overall effect on reliability and can identify certain useful resources, if any. They also can suggest steps that should be taken before applications are installed or changed. Last, they can suggest security practices beyond those required by the mandatory standards. Over time, more examples of excellence will develop to further assist with reliability challenges.
In general, guidelines and examples of excellence are helpful in changes with far-reaching consequences, such as the smart grid. Guidelines and examples of excellence create awareness of the considerations that will ensure bulk-power system reliability in order to prevent loss of money and resources from a blackout for the electric industry and customers alike.
Formal standards compliance and enforcement procedures have been in place only since June 2007. The transition period from June 18, 2007, to Dec. 31, 2007, was a period when entities were encouraged to self report and NERC and regional entities had enhanced enforcement discretion to dismiss or settle violations.22 When the transition period ended, violations were processed in a uniform manner. Violations have decreased from 2007 to 2008. Before June 18, 2007, there were 5,079 violations reported and almost half were dismissed, and for all of 2008 the regional entities reported only 1,646 violations.23 From these facts, it’s simply too soon to conclude that the decrease is due to increased compliance and not due to the special circumstances during the transition period. Likewise, mitigation compliance improved from 2007 to 2008, but again, this might be due to relaxed compliance assessments and a newly installed staff. At the compliance director or manager level, excluding the one manager with more than five years of tenure, the average staff has been with NERC for a little over two years.24 The main problems reported by regional entities and the industry are twofold: the lack of uniformity and the lack of transparency in the compliance and enforcement process.25 Attempts to modify and clarify the compliance and enforcement process are ongoing as the bulk-power system participants and stakeholders respond to the initial audits.26 One important aspect of the perception that there is lack of uniformity in compliance guidance and enforcement involves the confusion over the individual roles of FERC, NERC and regional entities in the process. The industry is unsure of the weight of one entity’s conclusions over another.27 This confusion is understandable, as Section 215 of the Federal Power Act creates a fair amount of overlap in the responsibilities of FERC, NERC and regional entities. Specifically, FERC is assigned the primary responsibility of ensuring the reliability of the bulk-power system.28 This was the first goal of Section 215—to end the debates on whether FERC had the appropriate authority to enforce reliability standards under the Federal Power Act. By authorizing FERC to ensure reliability and enforce reliability standards, FERC then could delegate to NERC the responsibility to create and enfforce reliability standards. FERC continues to oversee NERC’s tasks and ensures that NERC is operating effectively and efficiently according to FERC’s standards. Although NERC has the daily task of maintaining reliability within the North American electricity grid, by executing delegation agreements with regional entities, another level of authority is created. Nevertheless, the confusion can be clarified by three points.
First, NERC’s main duty is to develop and establish reliability standards because it has delegated its enforcement powers to the regional entities and only retains a small appellate review role.29 Second, the regional entities and FERC mainly are responsible for compliance and enforcement. Third, because FERC has the overriding power to approve settlements and penalties determined by the regional entities and reviewed by NERC, the FERC is the final decision maker in enforcement proceedings. Accordingly, these three points are illustrated by specific compliance and enforcement concerns.
One particular point of contention is whether NERC has passed all tasks of monitoring and auditing for compliance to the regional entities through the delegation agreements. In fact, NERC is active in compliance auditing and shares in the responsibility. While section 1 of NERC’s Compliance Monitoring and Enforcement Program 2009 Implementation Plan states that monitoring and enforcement of compliance is delegated to regional entities, the NERC organizational chart in section 3 simultaneously includes compliance program auditors.30 Just last year, FERC offered guidance on the often confusing compliance audit process. FERC requires compliance audits to be based on recognized U.S. professional standards to allow flexibility, but recognizes the need for a more unified process.31 Under this guidance, when a NERC auditor takes the lead role because he or she is perceived to be the more independent auditor, the regional entity member will serve as only an expert on subject matter and monitor the process.32 Additionally, FERC seeks to separate the compliance audit process from any enforcement roles by discouraging consideration of monetary penalties, sanctions, or decisions regarding violations during the audit.33
The electric industry and regional entities have complained that the compliance and enforcement process isn’t sufficiently transparent. The compliance process is confidential until NERC files notice of the penalty with FERC; it’s therefore difficult for nonparties to gain knowledge of the process. Although NERC is aware of the benefits of not publicizing an alleged violation until the recipient has an opportunity to contest the allegations and an opportunity for a hearing, NERC is committed to share process information while honoring confidentiality at the same time.34 NERC has posted on its Web site charts and timelines showing compliance and enforcement procedures. NERC also improved the auditing process by posting the audit schedule earlier.35 Likewise, NERC addressed the industry’s uncertainty about the variability of audits across regions. NERC developed reliability standard audit worksheets and provides information to the industry about the types of evidence required to show compliance with a reliability standard.36 Moreover, in May 2008, the NERC board of trustees compliance committee began conducting open quarterly meetings to address compliance questions.37 NERC also reached out to the compliance coordinators of regional entities and informed them of the registration database on the NERC Web site, which provides not only up-to-date audit worksheets and the audit schedule, but also new compliance reports, notice of penalty filings, and guidance documents.38
In addition to compliance, NERC assigns the enforcement authority of all regulated entities to the regional entities via the FERC-approved delegation agreements.39 The delegation agreements authorize the regional entities to impose penalties for violation of reliability standards.40 Still, NERC maintains the ability to impose penalties on its own initiative.41 The authority granted to it as the ERO under Section 215 remains intact despite the delegation of that authority to the regional entities. Yet in practice, NERC rarely imposes penalties, because as originally intended by Section 215, NERC is considered to have the technical expertise as to reliability standards, not enforcement.42 In fact, FERC maintains the authority to issue a penalty in absence of NERC action.43 Additionally, any proposed penalty by a regional entity or NERC is subject to review by FERC with or without an application for review by the registered entity. However, while FERC is cautious to retain authority, FERC is equally wary of weakening the enforcement efforts of NERC and the regional entities.44 Neither the legislature nor FERC ever intended to review every notice of penalty filed by NERC and there’s a level of trust in NERC’s discretion of enforcement.
In the end, it’s important to remember that overall, FERC has the duty to ensure uniformity in compliance and enforcement, with assistance from NERC and regional entities. These issues are unlikely to be resolved quickly, and as more enforcement actions make their way through the administrative process, the three entities’ roles in compliance and enforcement will become clearer.
From the currently available information, it’s difficult to determine the effectiveness of NERC standards. The annual CMEP reports show both a lack of change and possible improvements, while the Three Year ERO Performance Assessment Report optimistically finds that reliability indeed has improved.45
Yet the numbers from the compliance monitoring reports and other assessments don’t provide clear evidence to support a finding of improved reliability due to the mandatory standards. In 2008, the most violated standards involved sabotage reporting and transmission and generation protection system maintenance and testing, the same top standards violated in 2007.46 Furthermore, the total number of disturbances increased from 30 to 43, although the increase was due to less severe category 2 disturbances.47 On a positive note, the number of violations for each type of standard decreased dramatically. In 2007 there were a total of 560 violations for the sabotage reporting standard and 256 for the transmission and generation protection system maintenance and testing standard, but only 190 and 204 respectively in 2008.48 The comparison may be unfair because of the six months transition period in 2007 when registered entities were encouraged to self-report because of the enforcement entities’ increased discretion to dismiss self-reported violations.
Another positive effect of mandatory standards, although small, is the decrease of the total number of vegetation-related outages within rights-of-way from 16 in 2007 to 11 in 2008.49 By 2009, for the third quarter from July to September, there were no transmission outages caused by vegetation growing into the lines from within rights-of-way and only three outages caused by vegetation falling into lines from outside rights-of-way.50
The success of mandatory standards also might be suspect because the anticipated deterrence effect of fines hasn’t materialized. Although fines have been assessed, they are much less than the $1 million per day maximum allowed. As of June 2009, only a total of $833,000 in penalties has been assessed against 10 registered entities.51 The largest fine so far has been against Florida Power & Light for a February 2008 blackout that lasted several hours.52
While the numbers don’t give conclusive evidence of success, the three-year ERO performance assessment makes three valid points that indicate that the mandatory reliability regime is proceeding in the right direction. First, one might conclude with some certainty that voluntary standards were ineffective in the past. Because no blackout of the same severity as the 2003 blackout has occurred since 2006, the mandatory standards are at least more effective than the voluntary standards.53 Second, the registration of the owners, operators, and users of the bulk-power system clearly identifies which parties are responsible for what functions of the system, ensuring that industry players are aware of their roles in ensuring reliability.54 Last, NERC’s role as compliance and enforcement coordinator and its annual assessment of the program promotes communication among the regions and timely improvements of the reliability regime as a whole.55
Due to the lack of long-term assessments, it’s difficult to determine whether the standards, audits and enforcement actions have been effective. An additional difficulty in measuring the effect of the mandatory standards is the incomplete nature of the standards themselves, because existing standards are being revised and new standards are being developed. As the standards become more stable and the regulatory entities have more experience interpreting and enforcing the standards, concrete proof of the bulk-power system reliability will develop.
The importance of electricity as a service crucial to the operation of society can’t be overstated. As such, it was only a matter of time before reliability standards became mandatory. Reliability standards have changed immensely since their creation in the 1960s, but their purpose and goal remain the same: prevent blackouts.
The complex system in place today increases regulatory burdens for bulk-power system entities. However, staying informed of the changing standards and new reliability challenges will minimize the risks that affect the operations of bulk-power system participants. Benefits therefore are experienced industry wide and not just by the consumers of electricity. As the regulatory authorities develop clearer standards, streamline compliance and enforcement procedures, and become more knowledgeable of effective program implementation methods, there will be less uncertainly and confusion regarding the regulatory regime.
For now, information from sources such as training sessions, Web sites, and articles such as this assist registered entities in compliance and reach the common goal of ensuring the reliability of the bulk power system.
1. N. American Electric Reliability Corp., Three-Year ERO Performance Assessment Report passim (2009).
2. Id. at 23.
4. N. American Electric Reliability Corp., Best Practices Task Force Report: Discussions, Conclusions and Recommendations, 9 (2005).
5. See id. at 7-10.
6. Id. at 4-5.
7. Id. at 14.
8. Id. at 15. The Operating Committee’s purpose is to support NERC by providing opinions from the experts of interconnected systems. Its functions include advising and supporting NERC’s Reliability Readiness Program, suggesting standards and approving Reliability Coordinator plans. N. American Electric Reliability Corp., Operating Committee Charter 3-4 (2008).
9. Real-Time Tools Best Practices Task Force, N. American Electric Reliability Corp., Real-Time Tools Survey Analysis and Recommendations: Final Report Executive Summary—Page 1 (2008).
10. Id. Introduction—Page 1.
11. Id. Summary of Recommendations, Pages 20-21of 60.
12. N. American Electric Reliability Corp., Programs: Reliability Readiness Program (last visited Jan. 26, 2010).
13. N. American Electric Reliability Corp., Reliability Readiness Program: Examples of Excellence (last visited Jan. 26, 2010).
14. See generally U.S. Dep’t. of Energy, Smart Grid Sys. Report (2009).
15. Id. at 42.
16. Id. at 38.
17. N. American Electric Reliability Corp., Comments of the N. American Electric Reliability Corp. in Response to the Commission’s Mar. 19. 2009 Proposed Smart Grid Policy Statement, Docket No. PL09-4-000, at 13-14 (2009).
18. Id. at 14-15.
19. Standard Drafting Team Project 2008-06, N. American Electric Reliability Corp., Draft Guidance For The Electric Sector: Categorizing Cyber Systems (2009).
20. Standard Drafting Team Project 2008-06, N. American Electric Reliability Corp., Proposed Standard CIP-002-4—Cyber Security—BES Cyber System Categorization.
21. Securing the Modern Electric Grid from Physical and Cyber Attacks: Hearing on H.R. 2195 Before the House Comm. on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, 111th Cong. 1st Sess. (2009) (Testimony of Joseph McClelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission).
22. N. American Electric Reliability Corp., NERC Compliance Monitoring and Enforcement Program 2008 Annual Report 8 (2009).
23. Id. at 10, 12.
24. Crowe Horwath LLP for N. American Electric Reliability Corp., Compliance Enforcement, Registration, and Certification Program, Process Evaluation Report, 5 (2009).
25. 2008Annual Report at 3.
26. N. American Electric Reliability Corp., NERC Compliance Monitoring and Enforcement Program: 2009 Implementation Plan, 20 (2008).
27. Letter from Southwest Power Pool Inc., Comments on NERC’s 3-Year Assessment (May 29, 2009) (last visited Jan. 26, 2010).
28. See Section 215 (b) Jurisdiction and Applicability, (“The Commission shall have jurisdiction, within the United States over the ERO […] any regional entity, and all users, owners and operators of the bulk-power system […] for purposes of approving reliability standards established under this section and enforcing compliance with this section.”) Energy Policy Act of 2005, 42 U.S.C. § 1211 (2005).
29. Telephone Interview with Joseph Kelliher, former Chairman, Federal Electric Regulatory Commission (July 27, 2009).
30. N. American Electric Reliability Corp., NERC Compliance Monitoring and Enforcement Program: 2009 Implementation Plan,1-3 (2008).
31. Guidance Order on Compliance Audits Conducted by the Elec. Reliability Org. and Reg’l. Entities, 126 FERC ¶ 61,038 at 2 (2009).
32. Id., see also 2008 Annual Report at 27.
33. 126 FERC ¶ 61038 at 4.
34. 2009 Implementation Plan at 17.
35. Id. at 18.
36. Id. at 19.
37. 2008 Annual Report at 14-15.
38. Id. at 20
39. Id at 1.
40. Statement of Administrative Policy on Processing Reliability Notices of Penalty and Order Revising Statement in Order No. 672, 123 FERC ¶ 61,046 at 2-3, 9-10 (2008).
41. Id. at 3
42. Telephone Interview with Joseph Kelliher, former Chairman, Federal Electric Regulatory Commission (July 27, 2009).
43. Id., see also 126 FERC ¶ 61,046 at 3.
44. Id at 9-10.
45. The latest NERC Compliance Monitoring and Enforcement Program and Annual Report is for 2008. The 2009 report has not yet been posted on the Web site. (last visited 1-26-10).
46. Compare N. American Electric Reliability Corp., NERC Compliance Monitoring and Enforcement Program 2007 Annual Report, 8 (2008) with 2008 Annual Report at 13-14.
47. N. American Electric Reliability Corp., System Performance Indicators: Reliability Performance Gap (last visited Jan. 26, 2010).
48. Compare 2007 Annual Report at 8 with 2008 Annual Report at 13-14.
49. Compare 2007 Annual Report at 11 with N. American Electric Reliability Corp., Vegetation Management: Vegetation Management Grow-In Data 2008 (last visited Jan. 26, 2010).
50. N. American Electric Reliability Corp., Vegetation-Related Transmission Outage Report, Third Quarter, 2009 1 (2009).
51. Three-Year ERO Performance Assessment Report at 32.
52. Florida Blackout Order Approving Stipulation and Consent Agreement, 129 FERC ¶ 61,016, Docket No. IN08-5-000 (2009).
53. See Three-Year ERO Performance Assessment Report at 17.
54. Id. at 28.
55. Id. at 28, 44, 47.