28 May 2020


Covid Europe

Covid-19 Impacts on Nerc Compliance

Author: Solarplaza

The power industry is quickly adapting to the impacts of COVID-19 but the industry could potentially face more reliability challenges if these impacts continue to persist. NERC is only addressing the reliability and operational preparedness of the BPS owners and operators during the pandemic conditions between April and May 2020.  Additional issues are to be addressed in the 2020 NERC Summer Reliability Assessment. The NERC Event Analysis department intends to publish a lessons learned document with a focus on preparations for energy management, transmission and generator control centres, operations, maintenance, staff availability, and security upon returning to normal operations.  The timing of the release of this document may not support current compliance obligations.

NERC Compliance issues addressed to date:

  • Standards approved for deferred implementation:

    • CIP-005-6 – Cyber Security – Electronic Security Perimeter(s), October 1, 2020;

    • CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments, October 1, 2020;

    • CIP-013-1 – Cyber Security – Supply Chain Risk Management, October 1, 2020;

    • PER-006-1 – Specific Training for Personnel, April 1, 2021;

    • PRC-002-2 – Disturbance Monitoring and Reporting Requirements (phased-in implementation for Requirements R2-R4 and R6-R11), January 1, 2020;

    • PRC-025-2 – Generator Relay Loadability (phased-in implementation for Requirement R1, Attachment 1, Table 1 Relay Loadability Evaluation Criteria Options 5b, 14b, 15b, 16b), January 1, 2021; and

    • PRC-027-1 – Coordination of Protection Systems for Performance During Faults, April 1, 2021.

      To both preserve BPS reliability and support pandemic mitigation strategies, industry leaders, including NAES Corporation, are asking various regulators and government agencies to take actions that include ensuring the following:

      • COVID-19 testing is available and streamlined for essential personnel who work in shift environments (i.e., control centre personnel).

      • Relief from certain regulatory obligations is obtained to ensure the continued availability of control room operators.

      • Travel restrictions for the general public exclude personnel essential to the reliable operation of control centres.

      • Supplies for cleaning/hygiene are readily available.

Other items to consider:

CIP Compliance and Cyber Security are also of concern.  The CIP Standards define CIP Exceptional Circumstances to include “an impediment of large-scale workforce availability”.  Our local and federal government mandates of sheltering in place for the flattening the curve of the spread of COV-19 would fall under that definition.  As Michiko Sell, Sr. Reliability Specialist states:  ” This will have very  little impact on Low Impact facilities as the CIP Exceptional Circumstances only applies to Transient Cyber Assets and Removable Media.” 

What does it mean for Cyber Security?  Those bad actors will take advantage of chaos and fear to infiltrate systems.  This is what you can do to protect your systems from COV-19:

  • Keep your anti-virus applications up-to-date.

  • Scrutinize all requests for remote access – don’t recognize the individual, deny access.

  • Evaluate and review senders of emails with attachments regarding COV-19 – care providers will not embed links.

Consider pandemic and emergency mitigation actions to support staffing and staffing practices, including sequestration of essential employees and allowing remote capabilities:

  • If allowing remote access for employees, consider assigning a Plant TCA.  Use existing access request controls when allowing remote access to the BCS – access is always based on need and take steps to ensure that connectivity is secure and deploy two-factor authentications whenever possible.

    • Be clear that that device shall not be used for any other purpose than that set forth in connection with the BCS. 

    • Give your employees instructions on how to:

      • access the VPN,

      • lock the device when not in front of it, and

      • terminate sessions routinely.

    • Ensure that firewall rules are adjusted to allow access and that these rules are returned to their original limiting state after normal business practices are restored.

Adherence to maintenance and testing schedules per PRC-005 requirements may be difficult for those devices that require a third-party assist.  However, for those devices that are not a quarterly or monthly maintenance frequency, maintenance and testing can be performed up until the end of the calendar year and still remain compliant.  Consider approaching your vendor(s) now to get on their schedule for later this year.

Other items:
Reverse power flow due to solar photovoltaic, effects on under-frequency and voltage protection, and lower short-circuit current.

NERC, as has the EROs, have stated that they will be evaluating compliance mitigations on a case by case basis.  This lends itself to inconsistencies in the application of potential states of non-compliance.  Plan to remain compliant.  If a situation arises that requires deviation or deferment of actions that support compliance, reach out to your Regional Entity and submit your case to them per their instructions.



Stay on top of the global solar market by joining one of our upcoming events.