Part 2: Low-Impact Sites
In Part 1 of this two-part article, we covered NERC basics and how to determine which if any NERC CIP standards apply to a solar entity. Now let’s cover some of the standards that apply to low-impact solar PV sites.
Standard CIP-003 Cyber Security — Security Management Controls Requirements
NERC Standard CIP-003 is part of a suite of CIP standards related to cyber security. They require organizational, operational and procedural controls to mitigate risk to the BES Cyber System. Although the focus is cyber security, CIP-003 also covers related physical security topics, such as restricting access to the part of a facility that houses the control system.
There are six groups of security requirements within CIP-003-7 that apply to low-impact solar facilities:
- Cyber Security Awareness
- Physical Security Controls
- Electronic Access Controls
- Cyber Security Incident Response
- Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation
- Declaring and Responding to CIP Exceptional Circumstances
We’ll cover each of these briefly, but we encourage you to read about them in depth in NERC’s CIP-003-7 Guidelines.
CIP low-impact facilities must have a security awareness program. This includes disseminating and distributing information about recent security attacks, how they happened, how the organization is going to protect itself from a similar event, and how associates individually can help to protect against that event. Or, security awareness could include reminders and refreshers on the organization’s cybersecurity policy. Every low-impact entity is required to distribute security awareness training at least once every year.
Physical Security Controls
For CIP low-impact facilities, there are very broad requirements for some sort of physical access control to the BES cyber system—the core part of the generation facility that can control the facility, turn it on and off, etc. That includes the SCADA system.
Like most good compliance requirements, these physical requirements are open-ended. The standards state what you need to do, not how to do it. The “what” is to physically control and protect access to these critical cyber systems. The “how” is more or less up to the entity that is responsible. Methods run the gamut from simple lock-and-key all the way up to very advanced access control systems including electronic badge readers, video cameras and motion detectors.
Electronic Access Controls
Even low-impact solar entities must control inbound and outbound Internet communications between the plant and the outside world. One of the few explicit technical controls that’s required of CIP low-impact entities is to only allow necessary communications in and out of the facility and deny all other communications. Like the physical security controls, the “how” is largely left up to the facility. 99% of the time, this is done using a firewall.
This is one of the more complex sets of requirements, so again we encourage you to read more on NERC’s website.
Cyber Security Incident Response
Low-impact solar entities must have a cybersecurity incident response plan, or CSIRP, and test it at least once every 36 months. One of the biggest components of the CSIRP is making a determination about whether or not a cybersecurity event meets the reporting threshold for NERC and the Electric Information Sharing and Analysis Center (EISAC).
Transient Cyber Assets and Removable Media Malicious Code Risk Mitigation
Transient Cyber Assets are devices such as laptops, tablets and specialized maintenance equipment that may interface with or run applications that support BES Cyber Systems and can transmit executable code. Removable Media includes flash drives, external hard drives, disks, etc. Both are often used to transport files in order to maintain, monitor or troubleshoot systems at a solar site.
They can also be used to introduce malicious code into a secure system, making them a potential means of cyber attack.
CIP-003 requires entities to document and implement a plan for mitigating the risk of malicious code introduction. The plan must not only address Transient Cyber Assets and Removable Media that are under the entity’s direct control, but also those under the control of third parties, such as O&M vendors.
The standard covers approved means of accomplishing this, including antivirus software, application whitelisting and malicious code detection tools, but is still very flexible and open ended.
Declaring and Responding to CIP Exceptional Circumstances
This set of requirements covers processes to declare and respond to CIP Exceptional Circumstances.
A CIP Exceptional Circumstance is a situation that involves or threatens to involve one or more of the following (or similar) conditions that impact safety or BES reliability:
- Risk of injury or death
- Natural disaster
- Civil unrest
- Imminent or existing hardware, software or equipment failure
- Cyber Security Incident requiring emergency assistance
- Response by emergency services
- Enactment of a mutual assistance agreement
- Impediment of large scale workforce availability
What are the documentation requirements for NERC CIP compliance?
Documentation is arguably the most difficult part of NERC CIP compliance, or any compliance. It’s not good enough to do something, you must prove you did something. You must maintain evidence over time. That’s where most people fall short with NERC compliance—they may have done the work of implementing the correct controls, but six to nine years later when they get audited, they can’t locate records that assert that.
Here’s a common example. A little bit ago we covered that under the CIP-003 electronic access control requirements, solar entities can only allow necessary communications in and out of the facility and deny all others by default. That’s straightforward enough using a firewall, but how do you prove that you’re doing it?
It’s not enough to say “I can communicate out to any Internet site from my solar plant, except for known bad sites.” These rules mean the solar plant can’t communicate with any site unless there is an explicit and documented operational or business justification for that communication. Solar facilities must be very granular and say “The solar facility is allowed to communicate with Nor-Cal Controls for remote maintenance and troubleshooting.” This requires a firewall configured to have explicit allowed roles and to deny everything else by default. The documentation must show all the communication and data allowed in and out of the facility and the explicit reason for it.
Are there other solar regulations besides NERC?
Since NERC derives its power from a federal agency (FERC), it only applies to interstate commerce and electricity flows. This makes sense as the transmission grid goes across state borders, putting it in the federal jurisdiction. But, that means NERC only has jurisdiction over that main transmission system and the generators and control centers that feed into it. It has no jurisdiction over local distribution systems that don’t cross state lines. The DG and C&I facilities that interconnect on that distribution system don’t meet NERC CIP’s 75 Megawatt registration threshold, meaning NERC has zero impact on those facilities. There are no overarching requirements or a single body that’s responsible for cyber security at these small scale plants.
That makes many utilities nervous. They’re concerned about the risk of unregulated plants interconnecting to their systems, which do have to meet NERC CIP regulations. They’re put a lot of time, effort and money into securing themselves.
So, in the last year or so, utilities have started issuing hefty cyber-security addendums for all of the solar facilities they’re allowing to connect to their systems. These aren't federal requirements, but they're contractual requirements that solar facilities must meet if they want to sell power on the grid.
What is the future outlook of NERC and its requirements for solar PV power plants?
At GridSME, we are confident that both the NERC CIP registration criteria and the number of requirements are going to become more inclusive and rigorous as NERC catches up to solar. Traditional generation facilities have to start complying with NERC at 20 Megawatts instead of 75. For various reasons, renewables and distributed generation technology have gotten a carve-out for this higher threshold so far, but there has been much theorizing that this will go down.
While there’s no way to know exactly what the increased regulation will look like going forward, we do know that we have a lot of work to do as an industry until we can feel comfortable from a risk mitigation standpoint. There are many more controls that need to be put in place before the “powers that be” and those doing the work can really sleep well at night.
What does GridSME do to help customers facing NERC CIP requirements for their projects?
We offer a full life cycle of NERC compliance services, starting with helping clients understand their potential or current obligations to NERC and how it impacts them. For project-based assessments, we work with clients to develop and implement the necessary compliance and documentation programs. We help entities establish policies, plans and procedures to audit, generate and maintain the evidence they need for NERC documentation.
That generally starts prior to NTP (notice to proceed), working with owners and developers for a facility. We look at network diagrams and network and data architecture in order to implement a network security architecture that meets NERC CIP obligations and general best practices.
Many of these security controls don’t require gold-plated systems or a lot of capital investment, but rather an understanding of how to design, configure and implement the systems. Some of the same simple stuff that gets people in trouble on the Internet (weak passwords, no firewall) can also get solar facilities in trouble, on a larger scale.
We also offer managed security services for clients who don’t have the technical resources or skill sets in-house or just don’t want to detract from their core business function. They can outsource the entire cyber security function to our dedicated team of security engineers and analysts. Of course a part of that service is making sure that any NERC CIP requirements are met along the way and that evidence is generated and retained.
Last but not least, we team with Nor-Cal Controls to provide quarterly Solar PV Operations Training. We teach Grid/NERC 101, which covers (among many other things), NERC Functions and NERC Compliance.
Compliance isn’t the ceiling. It’s the floor.
Regardless of what NERC or other compliance requirements tell them to do or not do, solar entities need to be doing their own business risk evaluations. Are the 20 requirements for CIP low-impact facilities really enough to mitigate risk to an acceptable level? When most GOPs take a good hard look at their risk from a business perspective, the answer is “no.”
While NERC is about the reliability of the grid, owners and operators need to be thinking “business continuity.” What’s the financial impact and reputational impact of an event? Even if a control center can’t affect more than 1500 Megawatts of generation, it can affect 100% of your customers.