For many people in the solar industry, NERC CIP regulations seem like a jargony jumble that no one can explain. But there are people who can explain NERC regulations—our friends at GridSME. GridSME is the leader in solar PV when it comes to understanding NERC compliance, regulations and cyber security requirements. They are also our partner for Solar PV Operations Training. We’ve asked one of their subject matter experts, John, to demystify NERC CIP requirements in the following article.
NERC stands for the North American Electric Reliability Corporation. NERC’s job is to set the reliability standards for the electric industry and ensure that the minimum standards are met and adhered to throughout the United States.
Note that the “C” is not “commission” or “committee” as you might expect from a government regulatory body. NERC is not a federal entity, though it feels like the government. It’s a not-for-profit organization that derives its power from a federal entity. The Department of Energy (DOE) and Federal Energy Regulatory Commission (FERC) appointed NERC as the Electric Reliability Organization (ERO) as part of the Energy Policy Act of 2005.
At first, NERC was a voluntary program—an industry group where utilities came together to share information and best practices. Over time, the utilities became more interconnected and the grid became more complex. People came to depend on power and electricity for daily life and even survival. It became clear that we needed more rigor around how to manage risks to the grid that could be disruptive or even catastrophic.
NERC makes the electric industry a bit unique in that it’s self-regulated. Rather than issuing standards itself when it sees risks out on the grid, FERC directs NERC to address them.
When the call comes in from FERC, NERC collectively with its industry participants (aka utilities, solar and others) says, "Alright, this is the reliability gap we need to meet. How do we draft the standard to meet that?" They work, and they draft that standard, and then they go back to FERC and say, "Does this meet your requirements and what you're trying to accomplish?" If FERC says yes, the standard eventually becomes an enforceable standard. If no, then NERC and the rest of the utilities go back to the drawing board.
So are NERC standards annoying rules that utilities and solar PV plants have to deal with? On the one hand, yes, because no one likes dealing with compliance. On the other hand, no, because there are very good reasons that all of the requirements have been put in place. They’ve all been either a direct reaction to a real event or a real risk that NERC and the government sees to our critical infrastructure.
“Critical infrastructure” brings us to NERC CIP standards.
CIP stands for Critical Infrastructure Protection. It is a family or group of NERC standards designed to secure the assets required for operating North America’s bulk electric system, or BES for short. The standards encompass both the physical security and cyber security requirements for the electric grid.
As we just discussed, most NERC standards are a direct reaction to a specific event that happened on the grid, like a blackout. The cause of the event is analyzed and a standard is developed to mitigate the chance of it occurring again for the same reason. CIP standards are different in that they are more proactive. They are developed to mitigate and control potential risks, like a major blackout on U.S. soil due to a cyber attack.
There are currently 14 different NERC CIP standards, each with multiple requirements. There are around 190 requirements altogether for medium and high-impact entities, and only 15 to 20 for low-impact entities. We’ll cover what those designations mean next.
There are different requirements for DG/C&I sized projects versus utility-scale projects. Some solar entities don’t have to register with NERC at all, meaning the CIP requirements don’t apply.
NERC registration requirements are contained in the rules of procedure. Distilling down about six pages of technical definitions, essentially if a solar facility is 75 Megawatts or greater, it will have to register with NERC. At that point, it needs to go through the CIP-002 evaluation process (we’ll cover that in a minute) to determine which CIP requirements it must meet.
That said, we have seen and will continue to see facilities that are less than 75 Megawatts get roped into NERC registration, at which point the CIP requirements trigger.
NERC has outlined a process, contained in standard CIP-002, to determine the inherent risk of a BES facility asset (solar generator, control center, transmission substation). The process is meant to evaluate the inherent impact—low, medium or high—to the BES if that asset was rendered unavailable, misused, degraded, etc.
Any real asset or component of the electric grid goes through what is called the bright-line criteria. For solar, there’s only one bright-line, and it’s 1500 Megawatts. That magic 1500 Megawatt number is the threshold between a low-impact and medium-impact asset.
These impact levels can also be looked at as risk ratings. If a single low-impact generator gets put out of commission or compromised by a cyber attack, the actual risk to the grid and being able to keep the lights on is not all that great from a single-unit perspective. On the other hand, if 1500 Megawatts of energy is suddenly unavailable, that would present a significant risk to the grid. That’s the reason for nearly 200 requirements for a medium-impact entity versus 20 for low.
Power generating entities are registered with NERC as a generator owner, or GO. From a generation standpoint, a plant would have to have more than 1500 Megawatts of real power capability at a single point of interconnection to meet the medium-impact threshold rating. To date there is no single solar plant in the U.S. that is 1500 Megawatts or greater. Therefore, every single solar generation plant in the U.S. is low-impact from a CIP perspective, or, if under 75 Megawatts, no-impact.
So why even have standards for medium and high-impact solar entities if no generation plant currently meets the criteria? It’s because the standards apply to control centers as well as the generation aspect of solar.
A control center is any location or asset that may be, or is, monitoring and controlling more than one generating facility. “Control center” is synonymous with Networking Operations Center (NOC) and Remote Operations Center (ROC)—two solar-specific new terms that solar is introducing into the utility space. At the control center level, entities are registered with NERC as a generator operator, or GOP.
The same 1500 Megawatt threshold that applies to generation facilities also applies to control centers. However, it applies to how many Megawatts of generation the control center is responsible for. There are many medium-impact solar control centers in the U.S. that are responsible for more than 1500 Megawatts of generation.
Solar is new as far as the electric industry is concerned, only reaching utility scale in the last 10 years. It is only in the last two or three years that there’s been enough solar on the grid to impact utilities and grid reliability. Now that we’re having substantial amounts of solar penetration, both the utilities and NERC have to pay more and more attention to solar. They have not caught up with solar yet, but that will change.
Right now there are very few explicit carve-outs or call-outs to solar, specifically, in the NERC reliability standards. Solar is just another generating asset on the grid, and an integral one. Of course, solar operates in a different way than traditional generation does, compared to a cycle turbine or a nuclear power plant. It has very different operating characteristics and constraints. NERC is quickly trying to catch up with solar penetration and develop the appropriate NERC reliability standards to mitigate any risk of solar on the grid.
This is the end of Part 1 of our article series on NERC CIP. Learn more in Part 2, covering NERC CIP requirements for low impact solar facilities. It covers local site requirements, GOP regulations and documentation.
If you are a solar industry professional who wants learn more about NERC Functions and NERC Compliance, we invite you to our quarterly Solar PV Operations Training.