Issue 4 Jul Aug 2020

Issue 4 2020 July/August

INSIDE THIS ISSUE From the Board 2-3 Get Control of Yourself 4-5 Continuous Improvement 6-8 MOD-026 & 027 9 The Seam 10 The Lighthouse 11-12 Regulatory Affairs 13 Standards Update 14-15 Wat t 's Up at RF 16-17 Note from the President Calendar 18

RF Mem bers 19 Dear Stakeholders, speakers and panelists, representing Senior VP of Transmission Ventures, As many of us continue to work from RF in leadership programs, and Strategy and Policy at AEP, and home ? RF has extended our executing virtual meetings and events. congratulations to Lynnae Wilson, Senior VP?High Voltage Operations at work-from-home option through the As I write this, we?re just wrapping up a CenterPoint Energy, on being reelected end of 2020 ? I?m encouraged that the handful of workshops and webinars as Vice Chair. Jason will represent the ERO Enterprise?s response to these that I hope you attended and gained Small LSE Sector, Antonio will difficult times has been to band valuable insights from. These outreach represent the Supplier Sector, and together and collaborate more than activities covered the topics of human Lynnae will continue representing the ever before. I commend our entire performance, protection systems, Transmission Sector. We will miss industry for quickly adjusting facility ratings and supply chain ? and departing members Susan Sosbe and day-to-day responsibilities and tasks in we?re already receiving wonderful Lisa Barton and are grateful for their order to keep the lights on during the feedback from attendees. Thank you valued service pandemic, and I hope we have to everyone throughout the ERO and collectively reached a point where we industry who attended, presented and Be safe and be well. can refocus on long-term projects, Reliabilit yFirst Corporation contributed to these successful efforts exciting innovation efforts, to share knowledge and expertise for 3 Summit Park Drive, Suite 600 Forward Together, implementation of new the greater good of the grid. Cleveland, OH 44131 Standard/Requirements and other Tim Main Phone: (216) 503-0600 pre-pandemic plans. I also want to extend a warm welcome Websit e: www.rfirst.org to the new members of the RF Board Although the majority of RF staff is of Directors and my sincere thanks to home, everyone continues doing an those who are departing. Terms begin excellent job following through with Follow us on: in January 2021 for Jason Marshall, pre-pandemic plans. This includes Executive VP, Transmission and welcoming new team members, Regulatory Affairs at Wabash Valley participating in industry events as 1Power Alliance, and Antonio Smythe, From the Board By: Ron Ross

RF held its Third Quarter Board of Directors meetings via WebEx on August 12-13. RF staff and special guests provided presentations on various topics. Highlights included the following:

The keynote speaker was Eric Smith, Special Agent in Charge of the Cleveland FBI office. Special Agent Smith discussed the current threat landscape facing the U.S. and the bulk electric system. He stated that the threats, particularly cyber threats, are growing more complex than they have ever been. He discussed threats posed from terrorist groups, homegrown extremists, insider threats and nation states. Special Agent Smith stressed the importance of the relationship between the FBI and the private sector, and noted that the FBI wants to partner with RF and its entities, and help in any way that it can. Tom Galloway, President and CEO of the North American Transmission Forum (NATF), discussed the recent activities of the NATF and the ReliabilityFirst collaboration between the NATF and the ERO Enterprise. He noted that the NATF has been facilitating actions in response to the recent Executive Order on the Bulk Power System regarding supply chain Board of Directors issues, the subsequent Department of Energy Request for Information, and NERC Alert related to this Executive Order. The NATF is also working on a project to improve the accuracy of facility ratings. This project includes the creation of a best practices document, webinars, and and Committee monitoring and periodic reports back to the ERO.

Stan Hoptroff, Vice President of Business Technology at NERC, provided an update on the progress of the Align Tool and Secure Evidence Meetings will be held Lockers project. He discussed the benefits of the Align Tool and Secure Evidence Lockers, the challenges associated with the project, and the plan for training and workshops going forward. via WebEx Joe Mulhern, Dan Frogg and Vince Stefanowicz from PJM provided an informative training on intermittent generation reliability issues and modeling techniques. They discussed behind-the-meter generation and how this generation can cause changes in operation. They also December 2 and 3, 2020 discussed load forecasting, including wind and solar forecasting activities.

Page 2 Issue 4 July/August From the Board By: Ron Ross RF Elect s Direct ors for Small LSE, Supplier and Transm ission Sect ors Industry sector director elections were held on August 7. RF welcomes Jason Marshall and Antonio Symthe to the Board and is pleased to announce that Lynnae Wilson was reelected as director for the Transmission Sector. Small LSE Sect or Supplier Sector Transm ission Sect or

Jason Marshall is the Antonio Smythe is Senior Vice President of Lynnae Wilson is Chief Executive Vice President, Transmission Ventures, Strategy and Policy Business Officer, serving as Transmission & Regulatory at American Electric Power (AEP) and is Indiana Electric Lead for Affairs for Wabash Valley President of Transource Energy, AEP?s CenterPoint Energy. She is Power Association. In this competitive electric transmission subsidiary. responsible for power role, he implemented an In his current role, Mr. Smythe leads asset generation operations and initiative to improve strategy, federal regulatory and policy, construction, electric transmission reliability and finance, and commercial development transmission and distribution recover transmission costs through a activities for AEP?s $20 billion electric transmission operations, electric engineering, and oversees MISO tariff by reducing the growth of infrastructure business. He also is responsible for project MISO engagement, which includes wholesale transmission service costs, stood up a siting, outreach, right-of-way acquisition, and AEP?s $4 billion power marketing. new operations center, and acquired new investment in multiple electric transmission joint venture In this role, Ms. Wilson also is responsible for transmission assets and integrated them companies. In addition to his role in electric delivery, he key account management and integrated into the RTO. currently plays a key role in the development of AEP?s resource planning, which determines the regulated renewable energy projects. Prior to joining Wabash in 2017, Mr. company?s future electric generation portfolio. Marshall was the Vice President, Mr. Smythe has extensive experience in executive leadership She has more than 15 years of experience in Regulatory & Reliability Services for ACES, in the energy business. Throughout the past 20 years, he has combined natural gas and electric utilities and where he led reliability compliance, held positions of increasing responsibility at AEP and has electric generation with Vectren, in addition to regulatory and market affairs testified as an expert on electric industry matters before experience in the manufacturing and mining departments. He also has served as FERC and state energy regulatory commissions. Prior to his industries. Technical Manager at MISO, Operating current role, he led the development of AEP?s transmission Most recently, Ms. Wilson was Vice President, Engineer at Duke Energy and Senior ventures business, which is responsible for the origination, Energy Delivery for Vectren Utilities Holding, Engineer at MAIN Coordination Center. ownership and operation of several large-scale electric Inc. headquartered in Evansville, Indiana. She transmission infrastructure companies across the U.S. Mr. Mr. Marshall has a B.S. from led a team of 850 employees throughout Smythe also has served in key leadership roles in the Rose-Hulman Institute of Technology in Indiana and Ohio responsible for electric and strategic initiatives organization, which is responsible for Electrical Engineering, a M.S. from gas field operations, gas storage, electric and corporate strategy and mergers and acquisitions, and in the Clemson University in Electrical gas engineering and electric and gas system corporate finance organization. Engineering, and a MBA from the operations. University of Indianapolis. Mr. Smythe is a U.S. military veteran and earned both a Ms. Wilson is a graduate of Missouri University Bachelor of Arts in economics and a Master of Science in of Science and Technology, where she earned applied economics from Ohio State University. He also has her bachelor?s degree in mining engineering. completed the executive program at the Fisher College of Business at Ohio State University.

Page 3 Issue 4 July/August Get Control of Yourself By:By Denise Ron Ross Hunter, Principal Technical Auditor

Documenting Real-time Assessment Internal Controls

If you?ve ever had the opportunity to listen to an RF presentation on internal RTA expectations and their risk exposure? A clear understanding of controls, you know that documenting your controls is essential. If the control expectations is critical to ensure proper analysis. Do you understand all the isn?t documented, how can you be consistent? However, that?s often easier said components of an RTA (i.e., what is Real-time and Real-time data)? Truly than done. understanding your RTA components is imperative to determine all your criteria. Real-time assessments (RTAs) are a critical activity within our industry. They?re integral to grid reliability ? so integral that a number of Standards address What Should be Included in an RTA? them, including TOP-010-1(i), TOP-001-4, IRO-010-2, and CIP-012-1, to name a Documenting the determination of the appropriate elements and Real-time few. How you perform RTAs should be a documented internal control process, data is required in order to establish a baseline and provide for consistency. but where and how do you begin? Your control documentation might include: Before I begin, remember that this control outline may not speak to exactly 1. Who was involved in determining the elements and Real-time data how your organization performs RTAs, but you should be able to translate this included in the studies? (i.e., cross functional team) to ensure your practice matches your process. a. Note: if a cross-functional team (segregation of duties) is not The NERC Glossary of Terms defines an RTA as ?an evaluation of system possible, then ensure that a review by a knowledgeable party is conditions using Real-time data to assess existing (pre-Contingency) and included throughout the process. potential (post-Contingency) operating conditions.? Additionally, some Standards require the performance of this process at least once every 30 2. What qualified their participation? (i.e., PE, protection system specialist) minutes. An RTA is a (human) assessment of the information provided by a Real-time Contingency Analysis (RTCA) and State Estimator (SE), along with 3. Document considerations for determining the elements and Real-time other information. Thus, if the RTCA or SE goes down, an RTA must still occur. data used in the study (i.e., neighboring facilities). This might include an impact study with clear thresholds for inclusion (i.e., 5% distribution Often when a control is performed utilizing technology (i.e., SE, RTCA), there is a factor), Real-time weather data, load, etc. misunderstanding that the risk has been fully mitigated. However, as we all a. Begin with a clear definition of your RTA; what is it composed know, technology is only as good as the data it has to work with. We do not of? have any ?plug and play? technology that requires no human interaction; b. What constitutes ?good? data, and what is the acceptable range therefore, we must mitigate the human factor. signifying sufficient data? In the past, organizations focused on providing evidence of compliance by c. What happens if the data source goes down? What if you are providing a log showing that the RTA took place every 30 minutes. With a risk running your own RTCA and it goes down? and control mindset, the focus shifts to how (and how well) your organization d. If the data is from an outside source, how are you ensuring the determines all the appropriate criteria is included, that quality data is used, data is sufficient? (i.e., annual questionnaire of suppliers? and that you perform an appropriate analysis. Additionally, how did you controls?) determine what constituted sufficient monitoring or if there are defined ranges i. Additionally, you should include mutually agreed upon of tolerances with actionable steps to address gaps in Situational Awareness? communication methods and timing of when data is provided. Appropriate determination of these criteria could depend on a number of e. If you are unable to perform your RTA, what happens? factors, but I will focus on only one. Do you have a clear understanding of the

Page 4 Issue 4 July/August Continued on page 5 Get Control of Yourself By:Continued Ron Ross from page 4

4. Document how the contingencies included in the studies were or too much? That depends and should be spelled out as to why the determined (i.e., stuck breaker, delayed clearing, N-1-1, N-G-1). determined timeframe was selected. Document those contingencies considered but not included, as well as the reasoning behind why they were not included. 11. The RTA process should be called out for review during any changes that are performed on the system (and MUST be included in the 5. Define and document a root cause process for unsolved contingencies organization's Change Management Control). (i.e., determining a simulated instability vs. a steady-state issue). a. If neighboring entity information is included in the models, clear understanding and notification of changes to t heir 6. Are there additional studies to validate or support the RTA? (i.e., if system is required. How do you ensure that happens? Is there a Inverter Based Resources are involved, should a transient stability quarterly/bi-annual/annual inquiry with all parties? study with current SE solutions also be running?) i. Note: whenever you are relying on data not under your control, you must perform some form of due diligence 7. How are models managed/maintained? Include both a defined change to ensure the sufficiency of the data. management control1 and a defined review process (i.e., telemetry reviewed annually). 12. Whenever manual intervention occurs with the RTA tools (i.e., data a. Models expanding beyond your footprint; how do you ensure entry), include a reconciliation to ensure the data entered matches the the model is accurate? approved source documentation.

8. Define analysis expectations. Simply running the studies isn?t enough. 13. Finally, define monitoring expectations. You also should define what the operators are expected to review I hope this outline helps you establish your RTA internal controls. Remember, (within reason). Not every contingency can be defined, but people with the cost of the control should never exceed the benefit. In other words, be sure knowledge of the system should be able to identify the most you are mitigating YOUR risk. critical/common. a. Address SOL exceedances. Until next time, be kind to each other and get control of yourself! b. Include documentation expectations. Documentation provides assurance the activity occurred and evidence of control performance during your monitoring or CEA engagements.

9. Is overlapping coverage part of the RTA? If it is, include mutually agreed upon, clear expectations regarding who is looking at what, who has decision-making authority, etc.

10. How frequently is the entire RTA process reviewed? Is annually enough

1See 2019 July/August newsletter (Gaps in Program Execution) for change management controls

Page 5 Issue 4 July/August Continuous Improvement - CI Foundations By:By Sam Ron Ciccone, Ross Principal Reliability Consultant The Journey to Security, Resiliency and Reliability ?Security is always excessive, until it?s not enough.? ? Robbie Sinclair Lew?s Lighthouse article in this newsletter discusses CIP-012-1, which requires entities to ?mitigate the risks posed by unauthorized disclosure and unauthorized modification of Real-time monitoring data while being transmitted between Control Centers.? This article identifies some Continuous Improvement (CI) and Assessment practices that could improve your information and data security relevant to CIP-012-1.

Continuous Improvement for Data Security The CI article from the May-June Newsletter presented various CI methods, one of which included Plan-Do-Check-Act (PDCA). To begin, step back and ask yourself ?How does CIP-012-1 fit into the bigger picture?? This is a crucial part of the ?P? in PDCA. The PDCA method is discussed in the ISO Standard titled ?Information Security, Security Techniques and Information Security Management Systems? (ISO/IEC 27001:2005)1 that forms the basis of requirements for the ISO/IEC 27000 series of information security standards. ISO/IEC 27001:2005 not only presents information security best practices, but also CI guidance, and defines Information Security Management System (ISMS) as ?that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, Figure 1 - PDCA model applied to ISMS processes3 maintain and improve information security."2 Figure 1 of the standard illustrates the PDCA cycle in ISMS processes. your data security system assessment, you can ?Act? through incremental CIP-012-1 requirements correlate to ?Plan? and ?Do? in the cycle, but the cycle improvements that make the most sense from a security and resource doesn?t stop there. Figure 1 includes the ?C? and ?A? to complete the CI process. availability standpoint. Not only must you develop and implement a plan (as per CIP-012-1), but you Assess and Improve with Specific Maturity Domains also should ?Check? (i.e., monitor and review the process) and ?Act? (maintain and improve it). Per ISO/IEC 27001:2005, ?Check? is defined as ?assess and What can we do to begin maturing our data security posture? measure process performance against ISMS policy, objectives and practical You can use RF?s Information Management maturity domain activities to assess 4 experience and report the results to management for review.? Here, you can your data security posture. Take the first activity, identification and assessment use, assess and measure process performance by RF?s maturity model of information item risk. This includes a risk assessment to determine the assessment to benchmark your data security system. The ?Act? portion is relevance and impact of loss, or degradation, of each information item to defined as ?maintaining and improving the ISMS, and then taking corrective continued operations. Other important activities involve controlling access to 5 and preventive actions to achieve continual improvement of the ISMS." After and modification of information.

1https://www.iso.org/standard/42103.html. This is the 2005 version of the standard; the 2013 (and latest) version does not prescribe or show PDCA as an example. This was due to ISO/IEC adopting PDCA in their high level Annex SL (now just L) Directive, which ensures consistency and compatibility among the other management system standards such as ISO 9001 Quality Management, ISO 14001 for Environmental Management Systems and ISO 50001 Energy Management Systems. This ensures these standards follow the PDCA and 10 clause format. 2IOS/IEC 27001:2005Section 3.7 3IOS/IEC 27001:2005 Figure 1 4 IOS/IEC 27001:2005 5 IOS/IEC 27001:2005

Page 6 Issue 4 July/August Continued on page 7 Continuous Improvement - CI Foundations By:Continued Ron Ross from page 6

Information Management (INFO) External Interdependencies (EXID)

Act ivit y High Level of Maturity Act ivit y High Level of Maturity

Identification A risk assessment is performed that includes a focus on the Establish Documented agreements are in place noting key and risks to the BES. Also, information items are identified and Specifications for specifications tailored to each external entity, including Assessment of risks are formally analyzed as to their potential impact to External incentives for reducing risk. A clearly identified internal Information the BES. Interdependencies manager is assigned to the external entity with clear roles and responsibilities. Control Access Access control roles, individual access and logs are Monitor A key internal liaison provides periodic status, and to Information regularly reviewed. Logical and physical vulnerability tests monitoring of performance is in place (e.g., a Items are performed on a regular basis to assess that access measurement or analytics department tracking the controls are working. Different levels of the system from performance). application, server, database, network devices, SCADA/EMS/PLC devices, physical access controller systems, and third-party hosted systems are considered. Reduce the Risk A formal agreement is in place requiring continuous of improvement in the identification and mitigation of risks Interdependencies at the external entity. It includes incentives when Control Information items are tracked and communicated, logs are through CI external entities continuously improve, and there is Modification of regularly reviewed, and regular reviews are performed to Initiatives language encouraging continuous improvement at the Information assess information items. external entity.

What can we do to begin maturing our data availability per future changes to What can we do to mitigate the risks of relying on external partners for data security CIP-012-1? and integrity? The Order6 approving CIP-012-1 directed NERC to make modifications to CIP-012-1 Requirement R3 Part 1.3 requires ?identification of the "require protections regarding the availability of communication links and data responsibilities of each Responsible Entity for applying security protection to communicated between control centers." This is an established NERC project: the transmission of Real-time Assessment and Real-time monitoring data Project 2020-04 Modifications to CIP-012. between those Control Centers, if the Control Centers are owned or operated by different Responsible Entities.? In preparation for this change, one of the first things you can do is follow the development of this standard on NERC?s website. We encourage you to follow Therefore, some organizations face additional security risks with data standards development to prepare for your compliance obligations. Further, transmission due to their reliance on external organizations, vendors and other RF?s Information Management maturity domain has activities applicable to the third parties. One way to assess and mitigate these external risks is to use the CIP-012-1 directive, specifically ensuring availability, confidentiality and integrity RF External Interdependencies (EXID) domain: see the table below for examples of information. This will help ensure that your information items are managed of items assessed under this domain. and protected.

6FERC Order 866 Docket No. RM18-20-000; Order No. 866

Page 7 Issue 4 July/August Continued on page 8 Continuous Improvement - CI Foundations By:Continued Ron Ross from page 7

Information Management (INFO)

Act ivit y High Level of Maturity

Ensuring Availability, Confidentiality Formal controls assessments are and Integrity of Information performed addressing physical, technical and administrative controls, including a gap analysis to determine additional controls needed.

Conclusion CIP-012-1 fills an important gap in the CIP standards, requiring protection of operational data transmitted between control centers, and it provides additional opportunities to strive for CI while meeting compliance obligations. To recap: - Branch out from the NERC standards to the ISO standards, specifically the 27000 standards series, which provide tools for data security success. ISO/IEC 27001:2005 recommends improvements to data/information management including Continual Improvement, Corrective Action and Preventative Action.

- Benchmark the state of your data security and determine improvements through RF assessments. Assessments provide a roadmap to incremental improvement (i.e., improvement that fits your organization?s strategic objectives at any given time). You can learn more about the maturity model used for Assessments in RF?s Knowledge Center.

- Learn and apply Lew?s article material and reference documents provided in his Lighthouse article on CIP-012-1. This arms personnel with knowledge of the standard and may drive ideas for improvement in data security. For more information on how RF can help you improve your CI efforts, please contact Brian Thiry, Manager, Entity Engagement.

Page 8 Issue 4 July/August MOD-026/MOD-027 Insight - Average Net Capacity Factor

By:By Johnny Ron Ross Gest, Manager, Engineering and System Performance

ReliabilityFirst has received multiple questions from Generation Owners Interconnection verified per R2. Unit ?A? is considered complete and is pertaining to MOD-026-1 and MOD-027-1. Both standards allow an exemption included in the 30% required to be complete. in performing model verification, as specified in R2, that is dependent on the appropriate calculation of average net capacitor factor. It is critical that the 4. The second date of the Implementation Plan occurs on July 1, 2020. An complexities around average net capacitor factor are understood to ensure entity must have 50% of its applicable unit gross MVA per efficient use of resource allocations and maintain compliance with each Interconnection verified per R2. Unit ?A? is still within its 10-year standard. The intent of this article is to use commonly asked questions and timeframe and considered complete. As a result, it is included in the examples to provide clarity around the use of appropriate values and timing 50% required to be complete. No further action is required. when determining applicability to the capacity factor exemption. 5. The third date of the Implementation Plan occurs on July 1, 2024. An For the capacity factor exemption referenced in Attachment 1, what is entity must have 100% of its applicable unit gross MVA per the appropriate start date to use for the recurring 10-year timeframe? Interconnection verified per R2. Unit ?A? is now at the end of its 10-year If an entity is eligible for the capacity factor exemption, R2 is met with a written period and requires re-evaluation per Attachment 1 using years 2021, statement to that effect transmitted to the Transmission Planner (TP). 2022 and 2023. If Unit ?A? still satisfies the average net capacity factor Otherwise, the start date is the actual date of submittal of a verified model to over the three most recent calendar years of 5% or less, then R2 can be the TP for the most recently performed unit verification. The actual date of met with a written statement to that effect transmitted to the TP. If it submittal can vary for each unit, so it is critical for each Generator Owner to does not meet the capacity factor, then it needs to be verified within keep accurate records. 365 days of the date the capacity factor exemption expired (by July 1, In order to determine the average net capacity factor, the net capacity 2025) to satisfy R2. factor for the three most recent calendar years (beginning on Jan. 1 and The emergent theme surrounding the capacity factor exemption associated ending on Dec. 31) is required. Can RF provide a working example for the with MOD-026 and MOD-027 was discovered through interactions between RF capacity factor exemption in relation to the Implementation Plan? and Registered Entities in the Assist Visit program. RF encourages continued 1. Per the Implementation Plan, Generator Owners needed to have 30%, interactions using this forum to spread awareness and understanding of 50% and 100% of their generating unit MVA capacity to be compliant as emerging and complex issues in the industry. of July 1, 2018; July 1, 2020; and July 1, 2024, respectively. Have You Ever Experienced the Following? - 2. Using an initial submittal date of July 1, 2018 an entity determines that An internal debate regarding what deliverables are actually required in Unit ?A? has a current average net capacity factor over the three most a standard - Curiosity about successful compliance or operational approaches being recent calendar years of 5% or less using data from 2015, 2016 and used by peer companies 2017. Note that RF may request substantiating evidence (other than - A need for a free, independent, GADS data) to confirm the average net capacity factor. An entity third-party review of a recently developed satisfies R2 for Unit ?A? with a written statement to that effect process or procedure transmitted to the TP. Unit ?A? is now eligible to count toward being complete in the Implementation Plan for the next 10-year period If you answered ?yes? to any of these questions, (until 2028). then an RF Assist Visit could be in your best interest. For more information, please visit the 3. The first date of the Implementation Plan occurs on July 1, 2018. An Assist Visit section of the RF website. Entity must have 30% of its applicable unit gross MVA per

Page 9 Issue 4 July/August The Seam

By PJM Interconnection, LLC

New Subcommittee Focuses on Hybrid Hybrids Modeled as One Unit Resource Needs The first focus of the group will be on from DC to AC, Levitt said. solar-plus-storage resources that will be In some cases, the battery component PJM Has More than 13,000 MW of that?s generation and energy storage. modeled as a single resource for the may be able to charge from the grid. In Solar-Plus-Storage Resources in its Queue And while the model may apply to any purpose of offering into PJM?s energy and others, it will charge from its paired August 6, 2020 type of generation, including wind, the ancillary services markets. generation source. most common pairing in PJM is solar These new hybrid projects differ from PJM and stakeholders have begun a and storage. ?We?re trying to apply existing rules to process to identify operational and existing co-located fuel types in the PJM these resources where possible ? we?re market enhancements needed to More than a quarter of the solar footprint, which are modeled as two not trying to create a brand-new thing,? accommodate a growing number of megawatts in the PJM interconnection distinct units because they don?t operate Baker said. ?But it?s possible that we need hybrid resources looking to enter the queue represent solar-plus-storage ? together, said Subcommittee Chair Scott to change some rules.? PJM market. signaling a trend for the region and Baker, Senior Business Solution Analyst. reflecting a nationwide resource shift. The subcommittee is aiming to have a Hybrid resources are composed of two However, solar and storage enjoy a report ready for the MIC by the end of types of generation at a single point of unique synergy, in that they both make the year, he said. interconnection. Practically speaking, similar use of inverters to convert current

133 Projects in 11 States Nationwide Trend Across the country, a number of factors the Energy Storage Association. PJM has 133 solar-plus-storage projects Implementation Committee. are driving these projects, including the The movement has not gone unnoticed in its New Services Queue, representing The hybrid projects are located in 11 declining cost of batteries and solar more than 13,000 MW, Andrew Levitt, by the Federal Energy Regulatory states. In order of largest to smallest technology, individual states? efforts to Commission, which held a technical Senior Market Design Specialist, said output within a state, they are located reduce greenhouse gas emissions and Aug. 3 in the first meeting of the new conference July 23 ?to discuss technical in: Indiana, Ohio, Virginia, Kentucky, the various economic efficiencies of and market issues? with hybrids. DER and Inverter-based Resources Pennsylvania, Illinois, Michigan, North sharing one site, interconnection and Subcommittee. The group was formed Carolina, New Jersey, West Virginia and electric system. Energy storage resources combined with by merging the DER Subcommittee into Maryland. wind or solar generators offer the ability a new entity that reports to the Market At the end of 2019, PJM, ISO New to ?firm? the output of variable resources, According to Jason Connell, Manager of England, California ISO and MISO increasing their resource adequacy value Interconnection collectively had 56,547 MW of hybrid and offering operational benefits, Levitt Projects, resources in their queues, according to testified at the conference. solar-plus-storage statistics compiled by Grid Strategies and hybrids began entering the queue in April 2018. The One of Several PJM Initiatives following year, about 5,000 MW of solar-plus-storage The study of hybrid resource needs is one the capacity market. hybrids entered the of several PJM and stakeholder initiatives Special sessions of the Planning queue between April to align market rules and system Committee also are studying the concept and September. Since requirements with the rising availability of using storage as a transmission asset. of renewables and energy storage. then, another 3,000 And in June, stakeholders endorsed the MW have been added. The Capacity Capability Senior Task Force creation of the Emerging Technologies is exploring new methods of calculating Forum to support PJM?s Advanced how much power resources such as wind, Technology Pilot Program. Solar and hybrid solar by state in the PJM New Service Quene solar and energy storage may offer into

Page 10 Issue 4 July/August The Lighthouse

By Lew Folkerth, Principal Reliability Consultant

CIP-012-1 In-Dept h

In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resiliency and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the Standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can't steer your ship for you, but perhaps I can help shed light on the sometimes stormy waters of CIP compliance. On January 23, 2020, FERC issued Order 866 approving CIP-012-1, Cyber Security - Communications between Control Centers, as mandatory and Muskegon, MI: S & N Breakwater, S Pier ? Photo: L Folkerth enforceable. Let?s take a close look at some key concepts in this new Standard. Although CIP-012-1 won?t become effective until July 1, 2022, we should start our security and compliance planning now in order to ensure we can properly 3. List applicable communication paths. address the long lead-time actions properly. 4. Identify communication paths to be protected. In this article I will abbreviate ?Real-time Assessment and Real-time monitoring 5. Identify entity coordination requirements. data? as ?RTA/RTM data.? (Note that this is not a NERC-approved abbreviation.) What ?s Required Scope and Applicability You must develop at least one plan (which I?ll call a data protection plan) that CIP-012-1 is unusual within the Cyber Security Reliability Standards in that it identifies the type of security protections used and identifies where those doesn?t refer to impact ratings or BES Cyber Systems. Instead, CIP-012-1 applies protections are applied in your networks. Your plans also must include to certain communications between Control Centers. provisions to coordinate protections with other entities to protect RTA/RTM One way to determine if you need to comply with CIP-012-1, and, if so, which data. You must then implement those plans on or before the effective date of communications need to be protected, is to follow this series of steps: the Standard. 1. Identify all applicable facilities meeting the definition of Control Center. Your data protection plan must include provisions for identifying the data to be protected. That data must then be protected while being transmitted between a. List all Control Centers your entity owns or operates. Control Centers. b. Remove exempt Control Centers from the list. This means your protection plan must also include provisions for protecting 2. Identify the types of data to be protected. RTA/RTM data when transmitted in any form to any applicable Control Center. For example, data replication between a primary Control Center and a backup

Page 11 Issue 4 July/August Continued on page 10 The Lighthouse

Continued from page 9

Control Center must be protected if the replicated data includes any of the for your new Control Center to look closely at the applicable data RTA/RTM data types. protection plans. What?s Permitted Conclusion CIP-012-1 R1 permits you to invoke CIP Exceptional Circumstances. In order to You will need to perform an applicability evaluation early as you assess your reduce your compliance risk for CIP-012-1, your data protection plan should compliance and security posture around efforts to determine the include provisions for responding to CIP Exceptional Circumstances. communication paths that will be in scope, so you can begin planning the protections for those communication paths. These provisions should include detection, recording and reporting of protection failures. The definition of a CIP Exceptional Circumstance includes I suggest you begin your compliance efforts now; don?t wait until the effective ?an imminent or existing hardware, software, or equipment failure,? so you date is looming. should be able to handle some failures of data protection as a CIP Exceptional Request s for Assist ance Circumstance without resorting to a Self-Report. If you are an entity registered within the RF Region and believe you need What ?s Implied assistance in sorting your way through this or any compliance related issue, In order to fulfill Requirement R1, you may need to perform some actions that remember RF has the Assist Visit program. Submit an Assist Visit Request via R1 does not explicitly require: the RF website here. A. Identify the communications paths to be protected. See Scope and An expanded version of this article, ?CIP-012-1 In Depth,? is available in the Applicability for my suggestions on how to do this. If you will not be RF CIP Knowledge Center. Back issues of The Lighthouse, expanded protecting all non-voice communications paths to other Control articles and reference documents are also available. Centers, you must identify the types of information that meet the definition of RTA/RTM data and identify the communications paths to other Control Centers that carry any of this information. I recommend documenting the steps you use to perform this identification in your data protection plan so you can repeat the process as needed. B. As with any plan, each of your data protection plans required by CIP-012-1 should be reviewed periodically, perhaps annually. While the Standard doesn?t require this or specify a review period like other CIP Standards, I strongly recommend that you include review provisions in your plan. The intent of this review is to ensure your physical systems still match your plan and that changes haven?t crept in that would make your plan inaccurate. Feedback C. Each data protection plan should also include provisions to handle changes. For example, if the data to be protected changes, additional Please provide any feedback you may have on these articles. communication paths might need to be protected. Or you might Suggestions for topics are always welcome and appreciated. commission a new Control Center, which must be added to the Lew Folkerth, Principal Reliability Consultant, I maybe applicable data protection plans. Also, expect the Certification process reached here.

Page 12 Issue 4 July/August Regulatory Affairs

FERC Holds Technical Cyberspace Solarium Commission Issues Conference on White Paper on Cybersecurity Lessons COVID-19 Impacts from the Pandemic

On July 8-9, FERC held a technical The Cyberspace Solarium governments as part of the COVID-19 conference focusing on the impacts of Commission (CSC) was stimulus. COVID-19 on the energy industry. The established by the 2019 - Developing and maintaining continuity event consisted of four different National Defense of the economy planning to ensure discussion panels: System Operations and Authorization Act to continuous flow of goods and services Planning Challenges; Electricity Demand "develop a consensus on regardless of a disruption?s cause. and Transmission Planning; Natural Gas a strategic approach to and Oil Demand; and Access to Capital - defending the United - Building societal resilience to Credit, Liquidity, and Return on Equity. The FERC States in cyberspace against cyber-attacks of disinformation, and working to identify, Commissioners had candid discussions with panelists significant consequences." The CSC includes expose and explain malicious foreign regarding how COVID-19 has affected the industry, as well U.S. Senators, members of the executive influence operations. as the range of energy issues moving forward as the branch and industry members. After The white paper also adds four new country addresses and recovers from the pandemic. conducting an extensive survey in March, the recommendations: Jim Robb, President & CEO of NERC, participated in the CSC released a report advocating layered cyber deterrence. - Requesting Congress to pass an panel on System Operations and Planning Challenges. He Internet of Things Security Law that discussed key risks posed by the pandemic, including the Additionally, the CSC recently issued a white focuses on known challenges, like risk of shortage of critical staff needed to operate and paper on Cybersecurity Lessons from the insecurity in household Wi-Fi routers. maintain the BPS, delayed preventive and corrective Pandemic. The white paper highlights 32 of maintenance, and increased cyberattacks from the CSC?s original recommendations that - Increasing support to nonprofits that opportunistic actors. Mr. Robb reported that the industry were published in its March report that have assist Law Enforcement efforts to is rising to the challenge and that NERC has not observed become even more pressing due to the combat cybercrime and support victims any degradation to reliable operation of the BPS during pandemic. These recommendations include: (these nonprofits have been key law the pandemic. enforcement partners that can quickly - Establishing a National Cyber Director mobilize to help identify and dismantle He also discussed the ERO Enterprise?s activities to to coordinate the federal government?s major online schemes). address pandemic-related risks through situational incident response activities and serve as awareness activities (including issuing a Level 2 Alert on the focal point for private sector leaders - Support for establishing a Social Media COVID-19 contingency planning), coordination with to engage the executive branch on Data and Threat Analysis Center to government partners and industry, and use of regulatory cybersecurity issues. facilitate public-private cooperation to discretion. detect and counter foreign influence - Modifying the CSC?s original operations against the United States. The technical conference can be viewed on the FERC recommendation to expand the update archived webcasts page. Additionally, on July 16, FERC of secure cloud services now to call on - Increasing nongovernmental capacity to issued a notice inviting post-technical conference Congress to include digitization grants to identify and counter foreign comments on any or all of the topics discussed. state, local, territorial and tribal disinformation and influence campaigns.

Page 13 Issue 4 July/August Standards Update This recurring column provides our Registered Entities with relevant and recent updates to the Reliability Standards and Requirements.

General NERC Standards New s Notable NERC Filings

NERC Extends Expanded Self-Logging Program Related to COVID-19 In July-August, NERC filed the following with FERC: Im pact s - NERC submitted compliance filing with FERC regarding quarterly On August 13, NERC and the ERO announced the extension of its budget expenditures. - NERC submitted a comment to FERC regarding the security risks implemented approach to COVID-19-linked noncompliances, a short term and challenges facing the CIP space resulting from virtualization expansion of the Self-Logging Program. The time extension also is and cloud computing. applicable to the extension of on-site activities. NERC previously released an overall guidance document outlining the regulatory approach. Additionally, NERC provided a template form to be used in the submittal process. The program was originally set to expire on September 30, 2020, but due to extended COVID-19 impacts, has been extended through December 31, 2020. Highlights of the program include the following: - All entities are eligible for this temporary expansion of Self-Logging, and previous admission to the Self-Logging program is not necessary; - Both minimal and moderate risk noncompliances relating to COVID-19 can be submitted as a part of Expanded Self-Logging; and - Under this temporary expansion of the Self-Logging Program, potential noncompliance related to coronavirus impacts and logged consistently with this guidance is expected to be resolved without further action. Ot her COVID-19 Relevant Resources Post ed NERC/FERC have posted the following additional resources: - In order to provide additional guidance regarding standards and compliance application resulting from COVID-19, NERC and FERC created a FAQ Spreadsheet about Joint NERC?FERC Industry Guidance for COVID-19.

Page 14 Issue 4 July/August Standards Update

New Standards Projects

New Standards projects are described on the NERC Standards website, along with links to all drafts, voting results, and similar materials. Recent activity includes:

Project Act ion Start/End Date

Comment Period Open for Generating Unit Winter Weather Readiness ? Current Industry Comment Period 8/7/2020 - 09/21/2020 Practices ? Version 3 Draft Reliability Guideline

Comment Period Open for Supply Chain Procurement Language Draft Security Guideline Comment Period 08/7/2020 - 09/21/2020

New Standards Projects

Project 2019-03-Cyber Security Supply Chain Risks Additional Ballots and Non-Binding Poll 09/1/2020 - 09/10/2020

Project 2019-2 BES Cyber System Information Management Additional Ballots and Non-Binding Poll 09/11/2020 - 09/21/2020

Recent and Upcoming Standards Enforcement Dates (Please see notes in "Notable NERC Filings" section regarding the deferment of some of the following Standards.)

October 1, 2020 CIP-005-6 ? Cyber Security ? Electronic Security Perimeter(s); CIP-010-3 ? Cyber Security ? Configuration Change Management and Vulnerability Assessments; CIP-013-1 ? Cyber Security ? Supply Chain Risk Management

January 1, 2021 PRC-002-2 ? Disturbance Monitoring and Reporting Requirements (50% compliance for Requirements 2-4, 6-11); PRC-025-2 ? Generator Relay Loadability, phased-in implementation of Attachment 1: Relay Settings, Table 1 Options 5b, 14b, 15b, and 16b by six months (January 1, 2021); CIP-008-6 ? Cyber Security ? Incident Reporting and Response Planning; PRC-012-2 ? Remedial Action Schemes

April 1, 2021 PER-006-1 ? Specific Training for Personnel; PRC-027-1 ? Coordination of Protection Systems for Performance during Faults

July 1, 2021 TPL-007-3 ? Transmission System Planned Performance for Geomagnetic Disturbance Events (Requirements 11 and 12)

January 1, 2022 TPL-007-3 - Transmission System Planned Performance for Geomagnetic Disturbance Events (Requirements 6, 6.1-6.4, 10, 10.1-10.4)

July 1, 2022 PRC-002-2 ? Disturbance Monitoring and Reporting Requirements (100% compliance for Requirements 2-4, 6-11)

January 1, 2023 TPL-007-3 ? Transmission System Planned Performance for Geomagnetic Disturbance Events (Requirements R3, R4, 4.1. 4.1.1?4.1.2, 4.2, 4.3, 4.3.1, R8, 8.1, 8.1.1?8.1.2, 8.3, 8.4, and 8.4.1)

January 1, 2024 TPL-007-3 ? Transmission System Planned Performance for Geomagnetic Disturbance Events (Requirements R7, 7.1, 7.2, 7.3, 7.3.1?7.3.2, 7.4, 7.4.1?7.4.3, 7.5, and 7.5.1.) These effective dates can be found here.

Page 15 Issue 4 July/August Watt's Up at RF

2021 Leadership Program New Reliability Congratulations to Deandra Williams-Lewis, Senior Director, Corporate Services at RF, for being named a member of the 2021 Analysis Team Leadership Cleveland program! A key component of RF?s strategic plan is continuously Through a competitive application process, Deandra earned a spot developing our internal services to serve our entities and in this 10-month program that "provides unique and meaningful stakeholders more effectively, as well as set us up for opportunities for conversations and experiences that build further growth and advancement. This included a knowledge, skills and relationships. Participants learn about the realignment of the organization earlier this year to community and explore how collaborative leadership is critical to better support the plan and our mission of preserving Northeast Ohio's current and future success." and enhancing the reliability and security of the bulk power system. One focus area of this realignment was integrating new functions, such as data analytics. As such, we are pleased Welcome NEW RF Team Members to share that: - Erik Johnson was promoted to the new position of Director, Reliability Analysis. In this role, Erik leads We are fortunate that our Business Continuity Plan and COVID-19 Preparedness Plan have the newly created Analytic Services team and the allowed staff to seamlessly transition to working from home since March. With the extra efforts Risk Analysis and Mitigation (RAM) team. and leadership of our Human Resources and Information Technology teams, we also have been able to carry out our pre-pandemic plans for growth and welcomed five new employees - Angie Colacarro was promoted to the new to the RF family over the past few months. Please join us in welcoming them! position of Manager, Analytic Services. Angie Segun Adebayo is a Senior Analyst, Data Analytics in the new Analytic Services Department. oversees Kristie Purcell, who now has added responsibilities as the Business & Configuration Paul Benvenuti is a Senior Technical Auditor in the Operations/Planning Department. Management Analyst, and Segun Adebayo, who Mike Hughes is a Principal Technical Auditor in the Operations/Planning Department. recently joined the team as a Senior Analyst, Data Analytics. Joseph Jagodnik is a Reliability Consultant in the Entity Engagement Department. Some of you may recognize Joe from his time as an intern in the RF Enforcement Department. - Tony Jablonski continues to manage the RAM Margaret Wilson is a Senior Technical Auditor in the CIP Department. team. Please join us in congratulating Erik and Angie on their promotions and welcoming Segun to the team. We look forward to using our expanding analytics capabilities to better serve our Region.

Page 16 Issue 4 July/August Watt's Up at RF

Insider Threats Webinar RF Wins September 30, 2020 8:00 am - 12:00 pm Top Workplace Award

This half-day event will focus on Insider Threat risk management, trends, We are proud and excited to announce that 2020 is RF?s program management, best practices, lessons learned and resources. second year being named a Top Workplace in Northeast Ohio! As this distinction is largely based on employee surveys, it Intended Audience serves as a direct reflection of RF?s culture and demonstration - Physical Security Managers of staff?s dedication and enthusiasm. - Cyber-Security Managers Aside from being our second time on this well-known annual - Vendor / Supply Chain Managers list, 2020 also marks a record year for overall local - Human Resources (HR) Managers and Administrators participation from nearly 300 employers and 43,000 - Executives, Privacy Attorneys, or indiviudals wanting to learn more employees in the greater Cleveland and Akron areas. about insider threats The employers cover a host of sectors, including private Guest Presentations from schools, law firms, manufacturers, construction companies, - CERT National Insider Threat Center financial services and more. - FERC & NERC Many thanks to our wonderful staff for helping achieve - PJM & MISO this recognition!

Regist er

Page 17 Issue 4 July/August Calendar of EYents The complete calendar of RF Upcoming Events is located on our website here.

Date RF Upcoming Events Location

August 25 2020 Fall Virtual Workshop WebEx

August 27 Virtual Compliance Users Group Webinar (CUG) WebEx

September 21 Technical Talk with RF Conference Call

September 30 Insider Threats Webinar WebEx

October 19 Technical Talk with RF Conference Call

November 16 Technical Talk with RF Conference Call

December 2 4th Quarter Board of Directors Committee Meetings WebEx

December3 Annual Meeting of Members and 4th Quarter Board of Directors Meeting WebEx

Date

September 1-2 NERC - GADS Wind Training September 9 Exploring Opportunities to Secure the Supply Chain Workshop - Fortress Info Security September 15-17 MISO Board Meeting

September 17 PJM Members Committee Meeting

September 24 NERC- 2020 Monitoring and Situational Awareness (M&SA) Technical Conference

September 30 FERC Technical Conference regarding Carbon Pricing in Organized Wholesale Electricity Markets

October 15 NERC- 2020 Monitoring and Situational Awareness (M&SA) Technical Conference

October 27 FERC Technical Conference regarding OffshoreW ind Integration in RTOs/lSOs (Docket Nol AD20-18-000 ) (Washington, DC)

October 29 PJM Members Committee Meeting

November 10 NERC- 2020 Monitoring and Situational Awareness (M&SA) Technical Conference

Page 18 Issue 4 july/August ReliabilityFirst Members

AEP ENERGY PARTNERS LANSING BOARD OF WATER AND LIGHT AES NORTH AMERICA GENERATION LINDEN VFT, LLC ALLEGHENY ELECTRIC COOPERATIVE, INC MICHIGAN ELECTRIC TRANSMISSION CO, LLC AMERICAN ELECTRIC POWER SERVICE CORP MICHIGAN PUBLIC POWER AGENCY AMERICAN TRANSMISSION CO, LLC MIDCONTINENT INDEPENDENT SYSTEM OPERATOR, INC APPALACHIAN POWER COMPANY MORGAN STANLEY CAPITAL GROUP, INC BUCKEYE POWER INC NEPTUNE REGIONAL TRANSMISSION SYSTEM, LLC CALPINE ENERGY SERVICES, LP NEXTERA ENERGY RESOURCES, LLC CITY OF VINELAND, NJ NORTHERN INDIANA PUBLIC SERVICE COMPANY CLOVERLAND ELECTRIC COOPERATIVE OFFICE OF PEOPLE?S COUNSEL, DISTRICT OF COLUMBIA CMS ENTERPRISES COMPANY OHIO POWER COMPANY CONSUMERS ENERGY COMPANY OHIO VALLEY ELECTRIC CORPORATION DARBY ENERGY, LLP OLD DOMINION ELECTRIC COOPERATIVE DATACAPABLE, INC PENNSYLVANIA OFFICE OF CONSUMER ADVOCATE THE DAYTON POWER & LIGHT CO PJM INTERCONNECTION, LLC DOMINION ENERGY, INC PPL ELECTRIC UTILITIES CORPORATION DTE ELECTRIC PROVEN COMPLIANCE SOLUTIONS, INC DUKE ENERGY SHARED SERVICES INC PUBLIC SERVICE ENTERPRISE GROUP, INC DUQUESNE LIGHT COMPANY ROCKLAND ELECTRIC COMPANY DYNEGY, INC SOUTHERN MARYLAND ELECTRIC COOPERATIVE, INC EDISON MISSION MARKETING AND TRADING, INC. TALEN ENERGY EXELON CORPORATION TENASKA, INC FIRSTENERGY SERVICES COMPANY TENNESSEE VALLEY AUTHORITY HAZELTON GENERATION LLC UTILITY SERVICES, INC HOOSIER ENERGY RURAL ELECTRIC COOPERATIVE, INC VECTREN ENERGY DELIVERY OF INDIANA, INC ILLINOIS CITIZENS UTILITY BOARD WABASH VALLEY POWER ASSOCIATION, INC ILLINOIS MUNICIPAL ELECTRIC AGENCY WISCONSIN ELECTRIC POWER COMPANY INDIANA MUNICIPAL POWER AGENCY WOLVERINE POWER SUPPLY COOPERATIVE, INC INDIANAPOLIS POWER & LIGHT COMPANY INTERNATIONAL TRANSMISSION COMPANY

Page 19 Issue 4 July/August