CIP Version 4 The Basics CIP Version 4- Background • Centers around expanded criteria for Critical Assets – FERC thought Risk Based Methodologies used by entities were not uniformly applied- order 706 – Used Bright Line Criteria to have more high level assets identified as Critical – Kiss my Risk Based Methodology good bye CIP Version 4- Background • Criteria developed for the 3 major facility classes – Generation – Transmission – Control Centers • Criteria in CIP-002-4 Attachment 1 is the basis of the changes in version 4. CIP-002-4 Attachment 1* Criteria used to determine Critical Assets * Also refer to document: CIP-002-4- Cyber Security- Critical Cyber Asset Identification Rationale and Implementation reference Document 1.1 Generation >= 1500MWs • Group of units at a single location with a total of 1500MWs Net Real Power† (i.e. 1500MWs deliverable to the interconnection) – Single location • In a defined physical footprint (as evident by) – – – – – Includes Nukes Common fence Common entry point Shared common facilities Common management organization Similar naming convention (plant name - #) • Connected to a single Interconnection* *the three major electric system networks in North America: Eastern, Western, and ERCOT. NERC Glossary- definition used when capitalized † where multiple net Real Power Capability can be used the highest value is judged against the Bright line criteria. 1.1 Generation >= 1500MWs (Cont.) • Why 1500MWs? – Taken from Contingency Reserve requirements of BAL-002 • Makes sure BA has enough Contingency Reserves to return Interconnection frequency back to limits following a “Reportable Disturbance” • The BA or Reserve Sharing Group must maintain enough Contingency Reserve to cover the single most severe contingency. • 1500 MWs was derived from various BAs in the all regions as the most significant Contingency reserves. • Figure could be verified through MOD- 024, Verification of Generator Gross and Net Real Power Capability which has to be given to SPP Model Development Group 1.1 Generation >= 1500MWs (Cont.) • Critical Cyber Assets – Intent is to identify common mode vulnerabilities • Identify all cyber assets that collectively control/ impact the 1500MWs of generation. – Cyber Assets- Programmable electronic devices and communication networks that use a routable protocol. Includes Hardware, Software and data. • Need to consider all facilities and systems up to the point where interconnected to the transmission system. – Has to be able to impact Bulk Electric System within 15 minutes 1.1 Generation >= 1500MWs (Cont.) • Critical Cyber Assets (Cont.) – Cyber Asset has to be able to impact Bulk Electric System Operation within 15 minutes to be Critical • More than 15 minutes should give enough time to detect and remediate – Example of Cyber Assets controlling the coal fuel supply for a coal plant. May have enough time to correct situation before it affects real time condition. 1.2 Reactive Resource >= 1000MVARs • Single or Group of units at a single location with a total of 1000MVARs – Excludes Generators – Net Reactive Power Nameplate Rating – Single Location evident by • Common fence • Common entry point • Shared common facilities • Common management organization • Similar naming convention (name - #) 1.3 Designated Generator • Planning Coordinator or Transmission Planner designates as providing an adverse impact to BES – Within Long-term planning horizon • Time Horizon described in NERC’s “Time Horizons” – Defines long term planning horizon as one year or longer – Planning Coordinator (if none designated then Trans. Planner) • Identifies generator as a “Reliability Must Run” unit – Must Run for reliability beyond the local area – Not generators for Voltage Support within local area • Not apart of generators designated as “Must Run” for market – Examples are: • Category C3 in TPL-003 1.3 Designated Generator (Cont.) • Planning Coordinator or Transmission Planner designates as providing an adverse impact to BES – Examples are: • Category C3 in TPL-003 – Loss of two or more elements – Single Line to Ground (SLG) or 3 Phase Fault with Normal Clearing of » Generator, Transmission Circuit, Transformer or Single Pole (dc) Line – Manual System Adjustment – Followed by another SLG or 3Φ fault with Normal Clearing of » Generator, Transmission Circuit, or Transformer – System Stable; Voltage/Thermal Limits within range – Can shed load or curtail Firm Transfers – No Cascading Outages 1.3 Designated Generator (Cont.) • Planning Coordinator or Transmission Planner designates as providing an adverse impact to BES – Another Example given: • Category D in TPL-004 – Loss of two or more elements or Cascading out of service – 3 Phase Fault with Delayed Clearing (stuck breaker or protection system) » Generator, Transmission Circuit, Transformer or Bus Section – 3 Phase Fault with Normal Clearing » Breaker (failure or internal fault) – – – – – – Loss of tower with 3 or more circuits All Transmission lines in a common ROW Loss of substation (1 voltage level and transformers) Loss of all generation at one station Loss of major load or major load center Special Protection System or remedial action scheme » Failure to operate when required » Operation, partial operation or misoperation not intended to operate – Disturbances in another Region » Impact of power swings » Oscillations • Evaluate for Cascading outages, Substantial Customer Demand or generation loss in a widespread area. 1.3 Designated Generator (Cont.) • Planning Coordinator or Transmission Planner designates as providing an adverse impact to BES – Definitions within categories • Normal Clearing – Normal clearing is when the protection system operates as designed and the Fault is cleared in the time normally expected with proper functioning of the installed protection systems. Delayed clearing of a Fault is due to failure of any protection system component such as a relay, circuit breaker, or current transformer, and not because of an intentional design delay. • Planned or controlled loss of demand or curtailed Firm transfers – Depending on system design and expected system impacts, the controlled interruption of electric supply to customers (load shedding), the planned removal from service of certain generators, and/or the curtailment of contracted Firm (nonrecallable reserved) electric power transfers may be necessary to maintain the overall reliability of the interconnected transmission systems. • Category D Extreme Events – A number of extreme contingencies that are listed under Category D and judged to be critical by the transmission planning entity(ies) will be selected for evaluation. It is not expected that all possible facility outages under each listed contingency of Category D will be evaluated. 1.4 Restoration plan BlackStart resource - Black Start Units - Listed in restoration plans of EOP-005-2 1.5 BlackStart Cranking Path • BlackStart Cranking Path – Facilities from initial switching of BlackStart unit to • 1st interconnection point of 1st generator to be started • Where two or more path options exits in restoration plan Generator 1st Generator Cranking Path Black Start Unit Path 1 Path 2 Substation Substation Cranking Path Black Start Unit 1.6 Transmission Facilities >= 500KV • Any Transmission Facility – At a substation – Operated at 500KV or greater Discussion on Collector bus‡ • Collector bus at a Non-Critical Asset Generation plant – i.e. not aggregate of 1500MWs as in 1.1 – Operated at 500KV or greater – Bus is considered a generation facility not transmission – Collector bus would not be considered a Critical Asset ‡Collector bus is the low voltage side of a step-up Xfrmr connected to a generator where real & real reactive power is collected 1.7 Transmission Facilities >= 300KV • Transmission Facilities operated within a substation • Substation interconnected at >= 300KV to • 3 or more substations – Ensures that level of impact is deemed appropriate Note: 300KV facilities Critical Asset 1.8 IROL Substation Transmission Facilities • Designated by Reliability Coordinator (SPP), Planning Authority, Transmission Planner – Transmission Facilities deemed critical to derive IROLs & Associated Contingencies • The region and member planners determine the contingencies and conditions that bring the system to the edge of reliable operations and then gather the values from the model runs. • What’s an IROL? – Interconnection Reliability Operating Limit • The value (e.g. MW, MVAR, Hz, etc.) derived from/ subset of the System Operating limits* such if exceeded could lead to wide spread Bulk Electric System instability, cascading outages, or uncontrolled separation. *SOL (System Operating Limits) – Values by which the Bulk Electric System can be reliably operated. Criteria/Methodologies are established to determine these limits both pre and post contingency. Bottom Line-> Beyond these limits the BES can’t be counted on to deliver power in a reliable manner 1.9 Flexible AC Transmission Systems (FACTS) • System composed of static equipment – Used in the transmission of electrical energy – Enhances controllability and increase power transfer capability – Power Electronics based system • Reliability Coordinator, Planning Authority, or Transmission Planning has to designate them as a Critical Asset. – Must be critical to the deviation of an IROL – Or associated contingencies 1.10 Transmission Facilities for Gen interconnection • Transmission Facilities for which if “something happened”* would prevent Critical Generation from connecting to the Transmission System – Applicable to generation at a single location >= 1500MWs (1.1) – Generation designated by Planning Coordinator or Transmission Planner to avoid BES adverse reliability Impacts in the long-term planning horizon. (one year or more) (1.3) – Ensures that Critical Generation can connect to Transmission System Or any Critically deemed generation Line Line Interconnecting Substation Unit 3 Line Unit 2 Unit 1 Line > 1500MWs *something happened- destroyed, degraded, misused, or otherwise rendered unavailable.. Yada yada 1.11 Transmission Facilities that interconnect Nuclear Plants • Transmission Facilities identified as necessary to meet Nuclear Plant Interface Requirements (NPIR) • Based on Standard NUC-001 – Ensures the reliability of the NPIR by the coordination between the generator owner/operator and the transmission provider 1.12 Systems that control IROL(s) • Special Protection System(SPS), Remedial Action Scheme (RAS), or Automated Switching System () • That operates Bulk Electric System Elements that if something happened* – Cause one or more element to exceed an IROL due to a failure to operate as designed » It operated outside of design parameters » Didn’t provide the function in the proper time frame – Compromise of these systems would have Wide Area impacts – Want to ensure that BES operates with the IROL Interconnection Reliability Operation Limit- Value limit that a Critical System element may operate while maintaining system reliability. *something happened- destroyed, degraded, misused, or otherwise rendered unavailable.. Yada yada 1.13 Automatic Load Shedding Systems • Any System or Facility • Performs automatic load shedding without human initiation, even if it requires a human to arm it • >= 300MWs as required by regional load shedding program – Under Voltage Load Shedding (UVLS) – Under Frequency Load Shedding (UFLS) – Those 300MW systems which require human arming to operate automatically should be considered as Critical • Why is this level lower than 1500MWs? – The UVLS and UFLS conditions represent the last ditch efforts to save the Bulk Electric System 1.14- 1.17 Control Centers- a few words • Control Centers perform control functions for multiple BES (Bulk Electric System) elements – These facilities are deemed to be Control Centers • Facilities that perform control functions for a single BES element – Considered to be apart of that asset • Example – Control room for a single Generation plant or Transmission Substation – Not considered to be a Control Center • Control Centers that delegate functional obligations to another location – Are also considered to be a Control Center. (A Control Center’s functional control center) • Note that Data Centers not located with a control center may be considered as essential to it operations and hence a Critical Asset 1.14 Control Centers perform functions of RC • Each Control and Back-up Control Center – Performs functional obligations of the Reliability Coordinator (RC) 1.15 Control Centers for Critical Generation Assets • Each Control and Back-up Control Center – Used to control generation at multiple locations – Generation Control Centers that control generation assets identified in criteria 1.1, 1.3 or 1.4 • (1.1) Generation at a single location, connected to a single Interconnection, and has a total Net Real Power >= 1500MWs • (1.3) Designated Generator: Planning Coordinator or Transmission Planner deems this unit as one whose operation is necessary to the reliable operation of the BES • (1.4) Black Start units 1.16 Transmission Operations Control Centers • Each Control and Back-up Control Center – Used to carry out obligations of Transmission Operator – Transmission Control Centers that control at least one Transmission asset identified in criteria 1.2, 1.5 – 1.12 • • • • • • • • • (1.2) Reactive Resources >= 1000MVARs (1.5) Black Start Cranking Paths (1.6) Transmission Facilities >= 500KV (1.7) Transmission Facilities >= 300KV connected to 3 or more >= 300KV Transmission Substations (1.8) IROL Transmission Substations (1.9) Flexible AC Transmission Systems (FACTS) (1.10) Transmission Facilities that interconnect Gen >= 1500MWs (1.11) Transmission Facilities that interconnect Nuke Plants (1.12) Systems controlling IROLs. SPS, RAS, Automatic Switching 1.17 Balancing Authority Control Centers • Each Control and Back-up Control Center – Used to carry out obligations of the Balancing Authority • Balancing Authority with >=1500MWs in a single Interconnection – Consistent with 1.1 – Balancing Authority Control Centers that control at least one asset identified in criteria 1.1, 1.3, 1.4 or 1.13 • (1.1) Generation at a single location, connected to a single Interconnection, and has a total Net Real Power >= 1500MWs • (1.3) Designated Generator: Planning Coordinator or Transmission Planner deems this unit as one whose operation is necessary to the reliable operation of the BES • (1.4) Black Start units • (1.13) Automatic Load Shedding Systems >= 300MWs QUESTIONS?