Ask the CMEP Advisory Council

One of the purposes of MRO and the MRO Compliance Monitoring and Enforcement Program Advisory Council (CMEPAC) is to conduct outreach and awareness to promote compliance with mandatory NERC Reliability Standards. In November 2016, the MRO Risk Assessment and Mitigation (RAM) Department began encouraging registered entities to submit questions relating to compliance via email at [email protected].

In August 2020, the CMEPAC established the [email protected] email address and monthly calls to assist entities in strengthening their compliance programs, discuss pending enforceable NERC Reliability Standards, and field questions relating to NERC compliance from a CMEPAC member perspective. Responses from the CMEPAC are not intended to determine if an entity is or is not compliant, and may on occasion be forwarded to heros@mro. net with approval from the submitting entity.

One of the many items discussed within the CMEPAC and considered under the council’s work plan is to coordinate with the MRO RAM Department to periodically review and publish redacted questions posed to HEROs and ask CMEPAC in the Midwest Reliability Matters newsletter. This month, we have three questions and the related responses:

Question 1 (Mixed trust Authentication Environments)

Related to mixed trust in virtual environments as applicable to currently effective NERC requirements: What are the implications for setting up a CKM (Certificate and Key Management) Cyber Asset for shared use between CIP and non-CIP personnel, with users’ accounts in two separate Active Directory (AD) domains: one for CIP users and one for non-CIP? Is setting up this shared CKM system consistent with 2015 Lessons Learned on Mixed Trust Authentication Environments and able to operate as described without bringing all accounts in the non-CIPAD into scope?

Background: The CKM solution has a web portal where users access and manage their certificate and credentials. To avoid mixed trust issues: 1.All administrators of the system with ability to provision access for themselves or otherswouldauthenticateagainstaCIPAD;2.Accountsaccessingthesystemviaanon-CIPADcannotaccessCIP data, and; 3. Non-CIP users would not have administrative rights to edit permissions and grant themselves or other non-CIP accounts access to CIP data. The CKM is not currently an EACMS, but may be in the future.

Response 1

MRO’s understanding of the implementation is that the CKM: 1. Stores certificates and keys as a repository of machine credentials; 2. Provides a web interface such that users can manage their credentials (Electronic Access), and; 3. Is not integrated to CIP-applicable Cyber Assets as a function in an Authorization-Authentication process (EACMS functionality).

Response 2

Is setting up this shared CKM system consistent with the 2015 Lessons Learned on Mixed Trust Authentication Environments and able to operate as described without bringing all accounts in the non-CIP AD into scope?

In the implementation assumptions described above, the CKM does not meet the definition of EACMS. In a future where the CKM is EACMS, it is not permissible to partition CIP and non-CIP classes of users having Electronic Access on a single Cyber Asset; the non-CIP users must be brought into scope. The lessons learned does not imply that an individual CIP-applicable Cyber Asset can have Electronic Access granted to a subset of non-CIP user; it is focused on the separation of AD into a root and multiple child configuration with separation between CIP and non- CIP users.

MRO considers actively managing machine credentials to be a good risk-reducing practice. It is assumed that the CKM stores machine credentials associated to Cyber Asset, versus associated to a user account. One should consider if there are BCSI implications from the combination of data available on the CKM (credentials stored associated to hostname, IP, username/password from the AD).

Question 2 (tPL-001-5 Footnote 13)

In Footnote 13, Item 13.a. states the following:

c. A single station dc supply associated with protective functions required for Normal Clearing (an exception is a single station dc supply that is both monitored and reported at a Control Center for both low voltage and open circuit).

Does the term “Normal Clearing” include breaker failure related equipment in the case that some other protection device is required to operate first and have failed? However, in the case of cascading breaker failures there could be an issue since if the second non-faulted breaker does not clear. It looks like an N-1-1 type event.

Response 1

Regarding Footnote 13.a., it does not include breaker-failure schemes. Contingency category P4 addresses a failure of a breaker while attempting to clear a fault on the same list of Elements as listed on P5. Furthermore, the list of Elements in P5 does not include breakers.

Response 2

Does the term monitored in the above mean the same items as PRC-005-6 Table 1-4(f)?

Regarding footnote 13.c, there is no direct connection between TPL-001 and PRC-005 and the monitoring criteria in these two standards are not identical, although they do overlap.

Response 3

Does the term monitored in the TPL-001-5 standard only refer to the low voltage and open circuit? Is there any criteria or guidance for low voltage? 5%, 10% of nominal. Is there any criteria or guidance for open circuit? Is this an event like a fuse opening or wire falling out of a terminal?

The only criteria applied to TPL-001-5 footnote 13.c. is that which is included in the footnote: “monitored and reported at a Control Center for both low voltage and open circuit.” The standard does not include any criteria or definition of what constitutes low and high voltage levels or open circuit; this is to be determined by the technical expertise of the registered entity.

Response 4

Where should the monitoring occur?

The location of monitoring is not specified within TPL-001, but it is clear that the “station DC supply” is the component that must be monitored. The term “station DC supply” is included as one of the five component types in a Protection System, as defined in the NERC Glossary of Terms. The description in the glossary entry is as follows:

Station dc supply associated with protective functions (including station batteries, battery chargers, and non- battery-based dc supply)

Question 3 (EOP-005-3 R6)

EOP-005-3 R6 states:

Each Transmission Operator shall verify through analysis of actual events, a combination of steady state and
dynamic simulations, or testing that its restoration plan accomplishes its intended function. This shall be completed at least once every five years. Such analysis, simulations or testing shall verify: [Violation Risk Factor = Medium] [Time Horizon = Long-term Planning]

6.1. The capability of Blackstart Resources to meet the Real and Reactive Power requirements of the Cranking
Paths and the dynamic capability to supply initial Loads.

6.2. The location and magnitude of Loads required to control voltages and frequency within acceptable operating limits.

6.3. The capability of generating resources required to control voltages and frequency within acceptable operating limits. In a blackout scenario, the entity’s restoration plan requires waiting on cranking power from a neighboring system prior to being able to pick up any system load, start any generation, or build our remaining sub-BES system. The entity is essentially a load center for another system’s island to pick up during the restoration process and we would not have a significant impact controlling BES voltages or frequency. Because it does not have Blackstart unit capabilities, it does not believe that R6.1 applies to us and question whether it has the ability to perform analysis for 6.2 and 6.3 based on the fact that our system is just a load for a neighboring system as they build out their island during restoration.

Is the entity, as a Transmission Operator, required to perform the analysis, simulations, or testing to verify its PSR
plan under EOP-005-3 in whole, only sub-Requirements 6.2 and 6.3, or not at all?

Response

R6 requires each TOP to verify that its Restoration Plan accomplishes the intended function.

If the System Restoration Plan addresses energization of Cranking Paths (from a Blackstart Resource to the next
generator) or initial loads served from a Blackstart Resource prior to the startup of any other generators, then 6.1 requires the TOP to verify the Blackstart Resource capability as it relates to those parts of the System Restoration Plan, whether the Blackstart Resource is located within the TOP’s footprint or outside of it. Conversely, if the startup of Blackstart Resources and energization of Cranking Paths and initial loads is addressed exclusively within neighboring TOPs’ Restoration Plans, then 6.1 could be met through documentation of this fact.

All TOPs must perform some analysis, simulation, or testing to meet 6.2 and 6.3, regardless of the location of Blackstart Resources.

The most recent nERC Standards, Compliance and Enforcement Bulletin can be found here.

Response 2

If the entity is required to meet EOP-005-3 R6 wholly or in part, how would it meet the Requirement by “Testing” that the PSR plan accomplishes its intended function? The entity understands analysis of actual events and steady state and dynamic simulations, but the testing part is unclear.

R6 can be met through analysis or simulation if testing is not performed. However, if the entity wishes to pursue
system restoration plan testing, the following report from FERC provides some information on “expanded”
restoration plan testing: https://www.ferc.gov/sites/default/files/2020-05/bsr-report.pdf

Special thanks to the MRO RAM Team for their contributions to this article.

– Mark Buchholz, Western Area Power Administration; Theresa Allard, Minnkota Power Cooperative; Trevor Stiles, American Transmission Company – MRO CMEPAC Members