On April 24, 2013, FERC’s Director of Enforcement issued a letter order accepting a FERC Staff audit of Bonneville Power Administration (BPA) to evaluate its compliance with NERC’s Reliability Standards. This is one of a handful of instances in which FERC staff has undertaken to assess Reliability Standards compliance without the direct involvement of NERC or its regional entities.
One other unique aspect of this audit report is the fact that BPA is a non-public utility and is not subject to FERC’s ratemaking jurisdiction. Of the four entities for which FERC staff has conducted Reliability Standards audits, two were non-public utilities — BPA and Salt River Project, for whom an audit report has not yet been issued. This is the first FERC audit report related to a non-public utility’s compliance with the NERC Reliability Standards.
FERC’s staff issued its audit letter to BPA on November 15, 2011. The audit covered the period from June 18, 2007 to January 25, 2013 and addressed BPA’s role as a balancing authority, load serving entity, planning authority, purchasing-selling entity, resource planner, transmission operator, transmission planner, transmission owner and transmission service provider.
Ultimately FERC staff found six areas “in which BPA can improve compliance” and outlined 16 recommendations. The audit report does not make any conclusions as to whether BPA committed any possible violations of the Reliability Standards. In a number of cases, the findings and recommendations fall outside of the scope of the Reliability Standards, but in other instances the findings and recommendations appear to correct deficiencies with respect to compliance with the reliability standards:
- Protection System Maintenance and Testing – FERC staff found that BPA did not specify maintenance and testing intervals for certain of its remedial action schemes as required under Reliability Standard PRC-005-1b R1.2. The audit report notes that BPA required testing for those remedial action schemes “as required,” which generally meant annually but could be extended to 18 months or more if systems conditions warranted, but FERC staff recommended that BPA establish specific and supportable outer limits for the maintenance and testing intervals for these protection systems. FERC staff also found that BPA failed to include several pieces of protection system equipment in its maintenance and tracking tool, which meant that BPA did not have complete documentation of its maintenance and testing as required by PRC-005-1b R2. FERC staff recommended that BPA adopt a process to ensure that all facilities were properly tracked. Going beyond the standards, FERC staff also recommended that BPA change the policy by which it could deviate from established maintenance and testing intervals, which FERC found lacked limits on the number or length of such deviations.
- Outage Coordination – FERC staff noted that BPA conducts transmission planning studies and sets system operating limits (SOLs) under Reliability Standard TOP-002-2.1b in coordination with the Northwest Power Pool (NWPP). FERC staff noted, however, the NWPP planning studies only considers planned outages of facilities at 230 kV or above or outages of other facilities that individual facility owners believe would be helpful to include in the studies. FERC staff ultimately concluded that BPA studies the impact of all BPA-owned facilities operating at 115 kV and above in establishing SOLs. However, FERC staff found that other NWPP members did not include facilities operating below 230kV in the SOL studies, which FERC staff feared would reduce the accuracy of the SOL studies.
- Load Shedding Plans – FERC staff found that BPA had several areas prone to voltage stability issues, but to address those issues BPA had procedures in place that would allow BPA to direct load shedding by distribution providers in its footprint or, if the distribution providers did not respond to the directive, to initiate its own load shedding at the transmission level as necessary. FERC staff raised concerns about whether BPA’s process would be effective within the 30 minute time frame required for responding to SOL violations under Reliability Standard TOP-007-WECC-1. Although not provided for in the Reliability Standards, FERC staff recommended that BPA (1) automate the processes by which load shedding amounts were calculated and by which BPA decided whether transmission level load shedding was needed and (2) conduct load shedding drills with its distribution providers
- Transmission Planning – FERC staff found that BPA’s planning process entailed performing a screening study every three years, which included a full load flow and stability study for BPA’s entire transmission system, but would only do a more detailed area study if the screening study identified areas in which there was deficient performance. FERC staff endorsed changes in BPA’s planning process that would require an annual review of all load service areas in its footprint, with detailed reviews for areas with significant changes in load or generation or for areas where system upgrades are planned. Areas with no significant changes and no planned upgrades will be studied at least every two years.
- Critical Cyber Asset Identification – FERC staff noted that while BPA had documented procedures for identification of critical cyber assets in its control centers, BPA did not have documented procedures for identification of critical cyber assets supporting equipment in the field. Although FERC staff stated that Reliability Standard CIP-002-3 R3 does not require an entity to have such documented procedures, FERC staff recommended that BPA adopt them anyway and to model them after the brightline test for identification of critical cyber assets under a currently pending version 4 of Reliability Standard CIP-002. Also, although CIP-002-3 R3 requires that BPA identify critical cyber assets by identifying cyber assets that are “essential” to the operation of BPA’s critical assets, FERC staff recommended that BPA read “essential” to mean not just cyber assets that control the operation of critical assets, but also cyber assets that monitor critical assets.
In a letter appended to the audit report, BPA indicated that it agreed with all of the recommendations and in some cases was well on its way to implementing a number of them already.
Despite the very detailed nature of the audit report, it is unclear whether the report provides FERC’s complete and final assessment of BPA’s compliance with the Reliability Standards. As noted in our recent blog article related to the $975,000 civil penalty FERC assessed against Entergy, a FERC staff audit report with a handful of recommendations can still result in a referral to FERC’s investigation staff. In the Entergy case, a civil penalty was assessed two years after Entergy’s audit report was issued for several alleged violations of Reliability Standards that were not identified in Entergy’s audit report. The BPA audit report gives no indication whether FERC audit staff has made a similar referral to FERC’s investigation staff or whether FERC staff was fully satisfied by the corrective actions by BPA, which are referenced in the audit report. Despite significant efforts on the part of FERC to improve the transparency of its enforcement activities, the process by which FERC audits Reliability Standards and the relationship between those audits and an entity’s potential exposure to civil penalties remains unclear.
Finally, the findings related to CIP-002 in the audit report are noteworthy for a few reasons. First, as with the Entergy settlement, the BPA audit report publicly finds fault with BPA’s identification of critical cyber assets, and departs from FERC’s and NERC’s traditional practice of masking the identity of entities that are alleged to have violated the CIP Reliability Standards. Although that practice was intended to avoid disclosing weaknesses in cybersecurity controls which could be targets of future cyberattacks, FERC does not explain why it chose to disclose this particular cybersecurity issue or why the security concerns related to this particular disclosure are minimal. A second item of note is the fact that FERC’s recommendation is to implement documented procedures based on the bright line test established in Version 4 of the CIP Reliability Standards, which were not due to take effect until April 2014. As reported in a previous blog article, FERC recently proposed a rulemaking to adopt Version 5 of the CIP Reliability Standards and to have Version 5 supersede Version 4 before Version 4 ever becomes effective. Finally, FERC staff’s recommendation in this regard appears inconsistent with the views of at least one regional entity (WECC), which found that an entity implementing the Version 4 bright line test had violated the Version 3 requirement that the entity needed to adopt a risk-based assessment methodology for determining critical assets and associated critical cyber assets.