Global Audit Ready

Global Audit-Ready Standards Updates

This newsletter contains information of interest to compliance professionals in the electric utility industry. Cooper Compliance clients and non-clients alike will find useful, timely information, including the following:

Cooper Compliance News, Global Audit-Ready Enhancements, Industry News: Events, Cyber Security in the News, and Grid Reliability, New or Revised NERC Standards, Retiring Standards, Recently Enforceable Standards, Recent Changes to NERC Glossary, NERC Standards Under Development, and New RSAWs.

Cooper Compliance News

Cooper Compliance Global Audit-Ready products are cost-efficient and enable you to quickly focus on and enhance your compliance program instead of wasting time and money developing your own compliance systems and workflows in-house. Because Global Audit-Ready is an add-on, it allows you to put your resources to work in the most efficient way. Contact us to see how you can start enhancing your program with an installation that takes less than 15 minutes of your IT resources time!.

NERC Requirements List Updated

Added RSAWS for CIP-003-7, PRC-027-1, and EOP-006-3. The EOP-006-3 RSAW is version 2 and had previously been released by NERC as version 1.

Global Audit-Ready Application Enhancements

After the release of our two new products, the Global Audit-Ready Survey and the Global Audit-Ready Approval Tracking System, which let you survey SMEs for pertinent information and usher documents through approval processes while capturing all changes and comments as evidence, we have spent the month making changes recommended by our customers to enhance their experience with the Global Audit-Ready product. These types of enhancements are a key benefit to using Global Audit-Ready.

As part of the package offered to clients, subject matter experts present enhancement ideas to Cooper Compliance team and, if the changes makes sense for all clients, we implement them at no additional cost. This month, we have made enhancements to the following products:

Operator Instruction Log has been modified to include special forms for identifying personnel and equipment being worked on during switching or placing hold tags.

Survey Tool. Exciting changes to the Survey tool released this year let users streamline questions and open multiple tasks. For example, you can survey your subject matter experts to identify if they are making any changes to relays. Drill down questions can identify which types of relays. This may trigger multiple tasks that impact many standards. Tasks might include updating your entity's:

Assessment of BES Cyber Systems

FAC-008 rating

MOD-025, MOD-026, MOD-027 validation testing

PRC analysis and coordination

Cooper Compliance subject matter experts have developed a database of questions and associated tasks that work for all Standards using this tool, giving you a jump start on creating your own Survey questions. Customize each question and task to fit your specific needs.

Workflows and Reminders. The workflows associated with Global Audit-Ready have been enhanced to allow your entity to white list emails from SharePoint 365. This provides additional security to ensure your subject matter experts don’t get spammed or phished.

Global Audit-Ready Reports. The Global Audit-Ready reports have been enhanced to allow users to maintain specific information and documents that are important for internal tracking, but not necessary for audits. All reporting applications and audit documents can be triggered to show and print, or hide, this information.

Cooper Compliance listens to our users! Other minor enhancements have been implemented to our Compliance Activity Tracker, Dashboard, Audit Package Creator, and Operator Instruction Log. Customers may find these changes in our release notes.

Industry News

Industry Events

See Cooper Compliance and get a personalized demo of our NERC Compliance Software at the following events:

9th Annual North American Generator Forum Annual Meeting & Compliance Conference, October 15-17, NERC's office in Atlanta.

WECC Reliability & Security Workshop, providing in-depth outreach to address and mitigate key risks, October 22-24, Paris Hotel in Las Vegas.

GridSecCon 2019, bringing together cyber and physical security experts from industry and government to share emerging security trends, policy advancements, and lessons learned, October 22-25, Westin Peachtree Plaza in Atlanta.

Cyber Security

According to the Wall Street Journal, US launched a cyberattack that took down Iranian missile control computers on the night of June 20th. Iran may attempt to retaliate with spear-phishing strike back attacks against the U.S. Iran appears to be targeting U.S. government and energy sector entities, including oil and gas. For more information, see:

https://www.wsj.com/articles/u-s-launched-cyberattacks-on-iran-11561263454 (subscription)

According to multiple security websites, there is a new sophisticated scam targeting Microsoft 365 users that tricks victims into providing Office 365 credentials. An initial “file deletion” emails appears to be from the Microsoft Team, and prompts users to login into a very realistic-looking 365 login page, which is hosted by Azure, and therefore has a Microsoft-signed certificate. Read more about it by googling “”scam deletion alert Office 365” or viewing these security sites:

https://blog.knowbe4.com/file-deletion-alert-becomes-the-latest-scam-to-compromise-office-365-credentials

https://www.bleepingcomputer.com/news/security/phishing-emails-pretend-to-be-office-365-file-deletion-alerts/

Grid Reliability

Argentina, Uruguay, and Paraguay were subject to a widespread blackout on June 20, putting the equivalent combined population of California, Oregon, and Washington in the dark. Preliminary reports suggested that the blackout likely originated from service disruptions on three 500kV circuits coming out of the municipality of Colonia Elía. One line experienced a fault, a second line tripped automatically, and the third was out of service at the time due to planned construction. Such an event serves as a reminder of why we strive for a reliable power grid through consistent and equally-applied regulations

FERC Order Regarding CIP-006-8

On June 20, the FERC Commission approved CIP-008-6 (Cyber Security – Incident Reporting and Response Planning) to become enforceable approximately 18 months from now, at which time CIP-008-5 will retire. CIP-008-6 is intended to mitigate the risk to the reliable operation of the BES from Cyber Security Incidents and applies to GOP, GO, TO, and some DPs. Under CIP-008-6, both Cyber Security Incidents, which are attempts to compromise, and Reportable Cyber Security Incidents, which are actual compromises, are required to be reported. The Commission also approved the revised definitions of “Cyber Security Incident” and “Reportable Cyber Security Incident” to include attempts to compromise.

Multiple Large CIP-Related Penalties Imposed

Keep on top of those CIP Standards, because the consequences can be dire if you do not! NERC's Enforcement Actions page (https://www.nerc.com/pa/comp/CE/Pages/Actions_2019/Enforcement-Actions-2019.aspx) contains notices of multiple large dollar amount penalties imposed in relation to non-compliant CIP Standards. On June 27, a $775,000 penalty was imposed and on May 30, two million dollar penalties were imposed. In keeping with security guidelines, these entities remain anonymous to help maintain cyber security.

New or Revised NERC Standards In the CCC Standards Database

None

Retiring Standards

PER-004-2 -- Reliability Coordination — Staffing. Applies to RC.

On November 21, 2018 in FERC order RD18-9-000 FERC approved retirement of PER-004-2. It becomes retired the day before PER-003-2 becomes effective, 6/30/2019.

Recently Enforceable Standards

PER-003-2 Operating Personnel Credentials 7/1/2019

TPL-007-3 Transmission System Planned Performance for Geomagnetic Disturbance Events 7/1/2019

Recent Changes to NERC Glossary

Recently Made Enforceable:

1/1/2019: Automatic Generation Control. A process designed and used to adjust a Balancing Authority Areas’ Demand and resources to help maintain the Reporting ACE in that of a Balancing Authority Area within the bounds required by applicable NERC Reliability Standards.

1/1/2019: Balancing Authority. The responsible entity that integrates resource plans ahead of time, maintains Demand and resource balance within a Balancing Authority Area, and supports Interconnection frequency in real time.

1/1/19: Pseudo-Tie. A time-varying energy transfer that is updated in Real-time and included in the Actual Net Interchange term (NIA) in the same manner as a Tie Line in the affected Balancing Authorities’ Reporting ACE equation (or alternate control processes).

10/1/2019: Qualified Path. A transmission element, or group of transmission elements that has qualified for inclusion into the Western Interconnection Unscheduled Flow Mitigation Plan (WIUFMP).

Recently Made Inactive

Inactive Date: 9/30/2019. Qualified Transfer Path.

NERC Standards Under Development

PRC-006-NPCC-2 - Automatic Underfrequency Load Shedding

Applies to GO, PC, CP, TO. This update will:

1) Remove redundancies with the most recent of the Continent-wide NERC Standard, PRC-006-3.

2) Ensure that UFLS island boundaries, once identified, are provided upon request to affected entities.

3)Minimum time UFLS relay time delay added to Attachment C tables and removed as a separate requirement

4)Added the ability for a TO or DP to calculate net load shed for UFLS if direct metering is not available

5)A number of minor clarifications.

6)Clarification that any compensatory load shedding for non-conformance with the Underfrequency trip specification for generation (in service prior to July 1, 2015) must be within the same island as the generator resides.

Comment Period 5/8/2019 6/21/2019

2018-04 Modifications to PRC-024-2 | Supplemental SAR

The purpose of this modification is to identify potential modifications to PRC-024-2 to ensure that inverter-based generator owners, operators, developers, and equipment manufacturers understand the intent of the standard in order for their plants to respond to grid disturbances in a manner that contributes to the reliable operation of the BPS.

Comment Period 6/27/2019 7/26/2019

2019-03 Cyber Security Supply Chain Risks

This project will modify the Supply Chain Standards; specifically it will address EACMSs, those systems that provide electronic access control to high and medium impact BES Cyber Systems.

Comment Period 6/27/2019 7/26/2019

New RSAWs

• CIP-003-7 – Cyber Security — Security Management Controls

• PRC-027-1 – Coordination of Protection System Performance During Faults.

• EOP-006-3 – System Restoration Coordination. This was an update to a previously released RSAW and contains errata only.

About

Cooper Compliance strives to simplify compliance by integrating compliance into our clients’ daily work. The Global Audit-Ready system records and stores evidence as you perform your normal activities, freeing-up time so you can focus on adding value to your organization. Let us know if we can help, or if you would like a demo of our transformative Global Audit-Ready compliance applications.

Cooper Compliance has been providing NERC Compliance services since 2007. The Global Audit-Ready Software suite by Cooper Compliance are SharePoint applications designed to provide automatic RSAW Development as well as controls to ensure accuracy when demonstrating compliance.

Global Audit Ready Standards Update

Happy New Year from Cooper Compliance!

Cooper Compliance is pleased to provide news that compliance professionals need to know. In this newsletter, learn what standards are imminently changing, retiring, or becoming effective. Keep up to date with your entity’s responsibilities for NERC standards. We sift through the NERC website and bring it all together for you in a neat and succinct summary, freeing your time to build your business.   

This report provides:

  • A summary of the updates that were made during the fourth quarter of 2017.
  • A description of projects under development and our comments on each
  • A list of new RSAWs that have been added to the databases underlying Global Audit-Ready, our cutting edge compliance software package for energy industry compliance to government standards.

Those entities utilizing SharePoint 2013 or higher will soon be upgraded to our latest version of Global Audit-Ready that contains many new and exciting features.  For example, word RSAWs and RSAW packages are now auto-generated to prepare you for an audit with a click of a button.  The Global Audit-Ready Operator Instruction Log (OIL) for SP 2013 and higher has many great reporting features.  Contact Cooper Compliance if you are not already a user of OIL to see how it can help your organization raise its bar with a robust compliance program and internal controls.
 

Revised NERC Standards:

BAL-002-2 (R1, R2)
Title: Disturbance Control Standard – Contingency Reserve for Recovery from a Balancing Contingency Event
Applicability: Balancing Authority or Reserve Sharing Group
Effective Date: 1/1/2018
BAL-002-2 contains revisions to, and replaces, BAL-002-1. Major changes are as follows:
In R1 and R2 the VRF (Violation Risk Factor) has been moved from medium to high, replacing BAL-002-01.  To comply with R1 and R2, the responsible entity must supply evidence and documents proving compliance if there is a reportable balancing contingency event.

BAL-502-RF-03
Title: Planning Resource Adequacy Analysis, Assessment and Documentation
Applicability: Planning Coordinator in the Reliability First (RF) region
Effective Date: 1/1/2018
BAL-502-RF-03 contains revisions to, and replaces, BAL-502-RF-02. Major changes are as follows:
From M1, "Each Planning coordinator shall possess the documentation that a valid Resource Adequacy analysis was performed or verified in accordance with R1".  From M3, " Each Planning Coordinator shall possess the documentation identifying any gaps between the needed amounts of planning reserves and projected planning reserves in accordance with R3."  A third requirement was added, which states, “The Planning Coordinator shall identify any gaps between the needed amount of planning reserves defined in Requirement R1, Part 1.1 and the projected planning reserves documented in Requirement R2.”


PRC-006-SERC-02
Title: Automatic Underfrequency Load Shedding Requirements
Applicability: Planning Coordinators, Generator Owners, and UFLS entities, which might include Transmission Owners or Distribution Providers in the SERC region
Effective Date: 1/1/2018
PRC-006-SERC-02 contains revisions to, and replaces, PRC-006-SERC-01. Major changes are as follows:
In this update, the planning coordinator decides when the peak time is for each requirement as seen in R2, either summer or winter.


IRO-002-5
Title: Reliability Coordination – Monitoring and Analysis
Applicability: Reliability Coordinator
Effective Date: 10/1/2017
IRO-002-5 contains revisions to, and replaces, IRO-002-4. Major changes are as follows:

  • R1 Risk factor moved from High to Medium, and Time Horizon reduced to Operations Planning only.
  • Two new requirements were added. The first requires RCs to have data exchange capabilities and spells out the details of those capabilities. The second new requirement describes needed testing of the Control Center data exchange capabilities. R5 now directs that the status of Remedial Action Schemes, rather than the status of Special Protection Systems, be monitored.
  • The Compliance Enforcement Authority is expanded to include any entity designated by the applicable Governmental Authority.

.
COM-001-3
Title: Communications
Applicability: Transmission Operator, Balancing Authority, Reliability Coordinator, Distribution Provider, Generator Operator
Effective Date: 10/1/2017
COM-001-3 contains revisions to, and replaces, COM-001-2.1. Major changes are as follows:

  • The format of the requirement has been updated to include measures directly after the corresponding requirement.
  • Two new requirements, R12 and R13, specify additional interpersonal communication capabilities. R12 specifies that each RC, TO, GO, and BA shall have interpersonal communication that enables operation of the BES while specifying these communications must exist between control centers to control centers as wells as field personnel. R13 specifies that each DP shall have the same.  

The Compliance Enforcement Authority is expanded to include any entity designated by the applicable Governmental Authority.  In this update, the planning coordinator decides whether the peak demand is summer or winter for the purposes of each sub-requirement of R2.

VAR-501-WECC-3.1
Title: Power System Stabilizer(PSS)
Applicability: Generator Owner, Generator Operator in the WECC region
Effective Date: 9/26/2017
VAR-501-WECC-3.1 contains revisions to, and replaces, VAR-501-WECC-3. Major changes are as follows: 

This standard was written to ensure that the Western Interconnection is operated in a coordinated manner under any condition establishing performance criteria for WECC power system stabilizers. This update is due to an errata that corrects the effective date.  .  Requirement R3 has an effective date of July 1, 2017 for first time service after regulatory approval and R3 has an effective date of July 1, 2022 for units placed in service prior to final regulatory approval.  

VAR-002-4.1
Title: Power System Stabilizer(PSS)
Applicability: Generator Owner, Generator Operator
Effective Date: 9/26/2017
VAR-002-4.1 contains revisions to, and replaces, VAR-002-4. Major changes are as follows: 
The standard contained measures to ensure the generator provide voltage and reactive power control within generation facilities.   This update is due to an errata that adjusts foot note 4 to capitalize “Reactive Power” in order to reference the NERC definition for Reactive Power.
 

VAR-001-4.2
Title: Voltage and Reactive Control
Applicability: Transmission Operators, Generator Operators within the Western Interconnection(WECC)
Effective Date: 9/26/2017
VAR-001-4.2 contains revisions to, and replaces, VAR-001-4.1. Major changes are as follows:
The standard was replaced due to an errata that corrected NERC terms, corrected grammar, and other minor grammatical clarifications.  For example, The time horizon was modified from Operational Planning to Operations Planning and M1 clarifies that 30 days means 30 calendar days.
 

NERC Standards Under Development January 2017:

  • 2017-07  Standards Alignment with Registration. Open for comment until January 9. FERC approved the removal of two functional categories, Purchasing-Selling Entity (PSE) and Interchange Authority (IA), from the NERC Compliance Registry due to the commercial nature of these categories posing little or no risk to the reliability of the bulk power system.  FERC also approved the creation of a new registration category, Underfrequency Load Shedding (UFLS)-only Distribution Provider (DP), for PRC-005 and its progeny standards.(Reference) . 

Regarding 2017-07  Standards Alignment with Registration above, the Cooper Compliance feedback to NERC is that we agree with the proposed scope and objectives and with the merging of two SARs into a single SAR. Our comments to FERC are as follows:
Yes we agree the scope is appropriate, we also feel it could be expanded to cover the function of Generator Lead Lines Interconnection Facilities and TOP lite. While there is no registration type as Generator Lead Line Interconnection Facility, the concept has been introduced but is not well defined in the Standards.  In addition, while NERC has temporarily dismissed the concept of a TOP lite, it would be good to reintroduce this concept.  For example, a TOP that only owns a bus bar should not have to have a full blown backup control room and so forth. The Standards should match the risk to the Bulk Electric System. 


•    2017-05 NUC-001-3 Periodic Review. Open for comment through 1/29/2018.  The drafting team did not identify any changes that warrant a new project.  Cooper Compliance Agrees with this assessment.

Regarding 2017-07  Standards Alignment with Registration above, the Cooper Compliance feedback to NERC is that we agree with the proposed scope and objectives and with the merging of two SARs into a single SAR. Our comments to FERC are as follows:
Yes we agree the scope is appropriate, we also feel it could be expanded to cover the function of Generator Interconnection Facilities and TOP lite. While there is no registration type as Generator Interconnection Facility, the concept has been introduced but is not well defined in the Standards.  In addition, while NERC has temporarily dismissed the concept of a TOP lite, it would be good to reintroduce this concept.  For example, a TOP that only owns a bus bar should not have to have a full blown backup control room and so forth. The Standards should match the risk to the Bulk Electric System.

New and Updated RSAW Documents:

Standard Description Date Updated
PRC-006-3 Automatic Underfrequency Load,Shedding 11/29/2017
VAR-001-4.2 Voltage and Reactive Control 11/29/2017
VAR-002-4.1 Generator Operation for Maintaining Network Voltage 11/29/2017
BAL-002-2 Disturbance Control Performance - Contingency Reserve for Recovery from a Balancing Contingency Event 10/11/2017
IRO-018-1(i) Reliability Coordinator,Real-time Reliability Monitoring and Analysis Capabilities 10/11/2017
TOP-010-1 Real-time Reliability Monitoring,and Analysis Capabilities 10/11/2017
PRC-026-1 Relay Performance During Stable,Power Swings 9/25/2017