Reducing operational technology (OT) and IT risks to the electricity industry is crucial to the cyber and physical security of bulk-power systems (BPS) equipment and facilities in North America, the North American Electric Reliability Corporation (NERC) said in its 2020 Annual Report. BPS refers to the large interconnected electrical system made up of generation and transmission facilities and their control systems.
Achieving the security objectives depends on the effectiveness and efficiency of NERC’s E-ISAC (Electricity Information Sharing and Analysis Center), which helps members and partners with resources to prepare for and reduce cyber and physical security threats to the North American electricity industry. In 2020, the E-ISAC improved its capabilities through use of augmented tools and better strategic planning to meet the needs of a dynamic and growing membership, wrote Jim Robb, NERC’s president and CEO in the report.
The regulating agency was able to cut through bureaucracy and focus its attention on meeting critical needs and sharing situational awareness, according to the NERC 2020 report. Prompted by the COVID-19 pandemic last year, it was able to focus on the need for greater agility, increased collaboration and expanding the Electric Reliability Organization (ERO) Enterprise mindset beyond compliance, NERC said.
The ERO Enterprise includes six regional organizations of similar size and complexity, and can deliver effective and efficient reduction of risks to the reliability and security of the BPS, the NERC 2020 report said. NERC provides industry-wide perspective and oversight, and the regional entities have unique features and activities that serve the needs of their regional constituents, while ensuring that the industry follows NERC Reliability Standards.
Cybersecurity continues to be a focus of the ERO Enterprise, with cyber intrusions becoming more prominent over the course of 2020. In September, the Federal Energy Regulatory Commission (FERC), NERC and the regional entities released a joint study on Cyber Planning for Response and Recovery, highlighting best practices for the electricity sector.
As the COVID-19 outbreak reached North America, NERC elevated the electricity sector’s reliability risk profile from potential workforce disruptions, supply chain interruptions, and increased cybersecurity threat. COVID-19 introduced significant uncertainty that was without precedent and highly challenging even for the most prepared of industries, the NERC 2020 report said on Tuesday.
Working closely with FERC, NERC was able to provide regulatory relief to industry so focus could remain on protecting workers and retooling operating protocols to maintain the reliability and security of the grid with a largely remote workforce, Robb said.
Other activities included supporting the efforts of the NATF (North American Transmission Forum) to develop a pandemic planning guide for utilities, which would help capture real-time experiences along with the U.S. Department of Energy (DOE) and FERC, developing a special assessment on pandemic preparedness and operational assessment on the industry, and participating with the Electricity Subsector Coordinating Council (ESCC) to draft the guidance document, called Assessing and Mitigating the Novel Coronavirus (COVID-19), he added.
While the NERC did not identify a specific threat or degradation to the reliable operation of the BPS due to COVID-19, the agencies did warn stakeholders that prolonged periods of operator sequestration and deferred equipment maintenance increase industry’s risk profile, and could exacerbate impacts to the BPS over the summer and potentially over the longer-term horizon.
However, as pandemic mitigation and containment strategies continue, industry has continued to rise to the challenge, coordinating with government partners and taking aggressive steps to confront these threats to grid reliability, the report reveals.
In December, the DOE partnered with the NERC on two pilot projects within the organization’s Cybersecurity Risk Information Sharing Program (CRISP). The purpose of the new pilots is to identify potential cyberthreats to utilities’ industrial control systems by capturing raw and/or refined OT data and comparing it to CRISP IT data.