Sie sind auf Seite 1von 11

www.icfi.

com/energy 1
ICF White Paper on Risk Based Assessment Methodology to
Identify Critical Assets
Overview

In J anuary 2008, the Federal Energy Regulatory Commission (FERC) approved Order 706, which made
CIP Standards 002 through 009 and the associated CIP implementation schedule mandatory. The FERC
order provided NERC with direction on how to modify certain standards and required NERC provide
guidance and support to the industry on the Risk-Based Assessment Methodology (RBAM) called for in
CIP-002.

This document focuses on CIP-002 since this particular standard is the basis for the CIP Reliability
Standards because it acts as a filter, determining whether a responsible entity must comply with the
remaining CIP Requirements in CIP-003-1 through CIP-009-1.

CIP-002 through CIP-009 require certain users, owners, and operators of the BES comply with specific
requirements to safeguard the protection of the Critical Cyber Assets that control or effect the reliability of
North Americas BES.

In accordance with the CIP implementation plan, Balancing Authorities (BA), Transmission Operators
(TOP), and Reliability Coordinators (RC) that were required to self certify compliance to NERCs Urgent
Action Cyber Security Standard 1200 (UA 1200) should have been Auditably Compliant in the second
quarter of 2009. Most other responsible entities must be Compliant by December 31, 2009 and Auditably
Compliant by December 31, 2010. All entities will have to self certify their compliance with the CIP
standards twice per year.
NERC Criticality Evaluation Guideline for Transmission, Generation Resources,
Control Centers and Special Systems

The NERC Critical Infrastructure Protection Committee (CIPC) has worked extensively to put together a
guideline to help registered entities devise a proper methodology for identifying their Critical Assets (CA)
and Critical Cyber Assets (CCA).

As a result, the CIPC formed the Security Guidelines Working Group (SGWG) with the responsibility to
review the existing and new CIPC initiated security guidelines and coordinate their development with
electric industry personnel and committees.

SGWG developed the first Guideline for Identifying Critical Assets in 2008. In 2009, SGWG developed
two new guidelines. The first is a revised guideline for identifying the Critical Assets and the second is for
identifying the Critical Cyber Assets.

In September of 2009, CIPC approved the new guideline for Critical Asset Identification. This guideline
specifically relates to Requirement 1 (R1) of CIP-002. The SGWG developed guideline for Critical Cyber
Asset Identification is also on track for CIPC review and approval later this year.

CIP-002 requires each responsible entity to develop a Risk Based Assessment Methodology (RBAM) to
use in identifying its Critical Assets (R1) and develop a list of CA(s) such as facilities, systems and
equipment (even if such list is null) based on an annual application of the RBA (R2 and R4). Furthermore,

www.icfi.com/energy 2
the responsible entity must use the list of Critical Assets to develop a list of associated Critical Cyber
Assets that are essential to the operation of the Critical Assets (R3).

In particular, the guideline addresses some of the common concerns such as:

1. The asset types that have to be evaluated
2. Evaluation guidelines for each of the asset types
3. Guidelines for documentation of the assessment

This revised guideline takes a new approach with special emphasis on the definition of ALR Adequate
Level of Reliability and the use of ALR for the consideration of criticality of different asset types.

As listed in the Table 1, a system with the following six characteristic will meet the definition of ALR.

Table 1: Adequate Level of Reliability Definitions

ALR Requirement
Number
ALR Definition
1
The System is controlled to stay within acceptable limits during
normal conditions
2 The System performs acceptably after credible contingencies
3
The System limits the impact and scope of instability and
cascading outages when they occur
4
The System's facilities are protected from unacceptable damage
by operating them within Facility Ratings
5 The System's integrity can be restored promptly if lost
6
The System has the ability to supply the aggregate electric power
and energy requirements of electricity at all times, taking into
account scheduled and reasonably expected unscheduled
outages of system components
Source: NERC

The September 2009 CIPC guideline on Identifying Critical Assets (CA Guideline) provides four main
tables as evaluation guidance for determining the criticality of four assets types. The four asset types are
Transmission Substations, Generator Resources, Control Centers and Special Systems. In each of the
tables, the CA Guideline provides example criteria, a short description, in addition to listing of the ALR
characteristic number associated with each criterion.

Any asset whose loss or compromise could affect one or more of the six ALR characteristics represents
unacceptable consequences to BES and therefore should be considered as a Critical Asset.

The Risk Based Assessment Methodology (RBAM) is expected to include procedures and evaluation
criteria that act as a series of inputs and filters that are used in the determining the criticality of an asset.


www.icfi.com/energy 3
The key factor in developing the RBAM is to identify the appropriate logic or evaluation basis that will form
the filtering criteria for each step. As part of a companys RBAM, the CA Guideline specifically discussed
utilizing engineering assessments as a part of the filtering criteria.

The CA Guideline states that, An engineering assessment or simulation provides a basis to determine
the extent to which an asset supports reliability or operability of the BES. Assessments, such as
contingency, steady state or transient load flow analysis or other relevant tools, modeling exercises and
techniques, should therefore serve as the basis for evaluation of an assets impact on the grid. The
guidance also emphasizes that the assessment consider varying load conditions and stresses the use of
steady state power flow analysis with relevant models and techniques.

Since 2007, ICF has used engineering assessments as the primary basis for determination of critical
assets for Transmission and Generation resources. The CA Guideline acts as a reinforcement of our
assessment methodology and confirms the past and future utility of these assessments as part of a
robust RBAM.

In addition, ICF utilizes FERC Order 706, NERC approved guidelines and a number of authoritative
publications such as NIST 800-53 to capture both the reliability impact and the cyber impact of the
Control Centers and Special Systems used for reliable operation and protection of the BES.

The following sections of this paper focus on the ICF methods used for determining the criticality of
Transmission and Generation assets.
Risk and Risk Based Assessments

In a traditional sense, risk can be defined as a function of the probability and the impact of an event.
Risk-Based Assessment (RBA) is an analytical method to determine the value of risk related to a
recognized threat.

Figure 1 shows the empirical dependency for different risk levels. Each color in the figure represents a
risk tolerance level based on the nature of the event under consideration.

As an example, consider the consequences of an electric power outage. Businesses and homeowners
struggle with the absence of electrical service but since in many cases restoring power takes a
substantial amount of time, the increased risk to national security during such events can be severe and
may be an even greater concern. As a result, even though the probability of such an occurrence may be
low, the associated risk could be very high.






www.icfi.com/energy 4

Figure1:RiskToleranceLevels

The CA Guideline assumes that the probability of the potential for threats and vulnerabilities always exists
(i.e., the probability of occurrence =1.0) and therefore the risk-based assessment essentially becomes an
impact analysis.

The CA Guideline states, Impacts can be intentional or unintentional, affecting not only an assets
availability but also its functional integrity. Compromise may include effects that are not immediately
apparent. Impact analysis should consider BPS operations under different conditions.

Similarly, NERC Vice President and Chief Security Officer Michael Assantes April 7, 2009 letter to the
industry states NERC is requesting that entities take a fresh, comprehensive look at their risk-based
methodology and their resulting list of CAs with a broader perspective on the potential consequences to
the entire interconnected system of not only the loss of assets that they own or control, but also the
potential misuse of those assets by intelligent threat actors.

Both these statements indicate that the RBAMs used by the Responsible Entities should be devised to
identify the CA and their associated CCA and safeguarded in such way to support and enable the BES to
withstand sudden, unexpected disturbances such as short circuits and unanticipated loss of system
elements due to natural causes, in addition to withstanding disturbances caused by man-made physical
or cyber attacks of misuse, manipulation and denial of service.

Engineering assessments therefore become the essential part of the assets inclusion or exclusion
process in the critical list.

www.icfi.com/energy 5
Power-flow modeling tools have long been used as the engineering assessment of choice when studying
the operation of the asset within the interconnected system. They have been used extensively in the
Transmission Planning studies that support NERC TPL Standards. Such an analytical approach
continues to be a strong and viable contender to assess how a particular asset influences the BES and
thus determine its criticality. This approach is also in-line with the CA Guideline where engineering
assessments need to be used as the reasoning factor to apply an evaluation criterion.

For each particular facility under study, the ICF methodology considers an electrical area in its
engineering assessment/RBA large enough to include the portions of the grid that could possibly be
affected by the operation of the facility. The ability of the BES to operate reliably is assessed by
monitoring voltage levels at substations and thermal loadings of lines under normal and contingency
conditions. Typically, under normal and contingency conditions, transmission line flows are expected to
remain within the normal and short-term emergency ratings, respectively. Similarly, voltage levels are
expected to remain within specified limits.
1
Violations of voltage and line limits may indicate a system
with compromised reliability.

The location, size and nature of a unit also play a very important role in determining criticality. Small units
of less that 50 MW typically tend to have minimal impact on the operation of the BES. However,
depending on the location, some of these units may be required to be online to provide VAR support or
voltage assistance.

The CA Guideline encourages the Responsible Entities not to work in isolation and to involve system
operators and planning engineers in the development of their Risk Based Methodologies. Entities are also
asked to seek cooperation from Reliability Coordinators, Balancing Authorities or other BES asset
owners, if needed. This cooperation could also result in additional reasonable basis for filtering criteria
which may include authoritative studies such as Transmission Planning studies, other NERC documents
and System Operators bulletins which establish lesson learned based on past experience.

ICF is an authorized recipient of Critical Energy Infrastructure Information (CEII) and regularly receives
the generation and transmission system representation in the form of power flow cases from FERC
2
.
These system representations are used in the engineering assessments that determine the criticality of
assets. This is consistent with the NERC requirement to integrate a wide-area view to the RBA as
opposed to a narrow focus on just the asset under consideration.
Michael Assantes April 7, 2009 letter to the industry also states that the Impact analysis should consider
BPS operations under different conditions which indicates that the engineering assessment should be
robust and address varying conditions. These modeling related issues are discussed in the next section.
Additional Issues to Consider

Under heavy loading conditions, typically occurring in summer in most parts of the US, there is a tight
balance between demand and supply. In certain areas, low-voltage problems surface under light load

1
For example, substation voltages may be required to remain within 5% of the nominal value under normal conditions and within
10% under contingency conditions.
2
FERC Form 715

www.icfi.com/energy 6
conditions as well. These problems are related to frequency swings and the ACE (Area Control Error)
running high.

Since other factors may vary during the operation of the system, additional scenarios may need to be
examined as part of the RBA. Some additional issues that should be considered are:
The methodology for re-dispatch of generation after the simulated outage of the test facility:
While in some areas, there are market-based approaches to deal with loss of a generation unit,
there are certain areas where it is completely done on a cost basis. Due concern has to be
applied to the way in which generation units are dispatched in the area under different scenarios.
Load forecasts errors: In some markets the actual demand may consistently exceed the forecast.
The effect of uncertainty in the load forecast should be incorporated in the modeling framework
while testing the criticality of generation assets.
Interchange with neighboring areas: As a rule of thumb, there are scheduled net interchanges,
but they could vary under emergency conditions. The framework for power flow modeling should
account for varying interchange levels to test the impact of the loss of the test facility under
different interchange conditions.

The CA Guideline calls for impact analysis that considers BPS operations under different conditions
similar to those detailed above. ICF has historically used rigorous power-flow modeling under varying
load conditions to accurately identify critical assets. As part of the CEII that ICF receives from FERC, the
power-flow models are constantly updated to accurately reflect grid conditions.


www.icfi.com/energy 7
ICF Risk Based Assessment Methodology and Engineering Assessment Flow
Charts

The ICF RBAM is presented as a series of process models. This section details the various stages of the
methodology as a series of steps to determine if Critical Assets exist. Figure 2 is the pictorial presentation
of the overall methodology per asset type. In accordance with the CA Guideline, Figure 3 demonstrates
the ICF unit test used to determine an assets criticality and serves as the reasonable basis for that assets
inclusion or exclusion to the critical list.

ICF uses the GE Positive Sequence Load Flow (GE-PSLF
TM
) model for performing Risk Based
Assessments. PSLF is ideal for simulating the loss of generation or transmission resources from the
power system and the model provides comprehensive and accurate load flow, dynamic simulation, short
circuit analysis, contingency analysis and system fault studies.

www.icfi.com/energy 8

ICFs unit outage test is a steady-state, flow-based contingency modeling exercise where line loadings
under normal and contingency conditions for both the reference case and test case (with the unit
outaged) are compared. In the case of generation resources, the facility becomes the test asset and for
transmission resources, the substation is considered as the test asset. The results of the study are used
to determine if the loss of the unit creates additional overloads in the transmission system. As an
example, if there are new overloads created when the unit is taken out of service that exceed 110% of the
short-term emergency rating, this could indicate that the loss of the unit creates a substantial impact on
the BES.

ICF also investigates the possibility of mitigation of these variations by changing the power output level of
generators in the system by re-dispatch. If such mitigation is possible, then the impact of the absence of
the facility is not expected to compromise the reliable operation of the system and therefore the asset
may not need to be considered critical.

www.icfi.com/energy 9
Sample Generation Resource Criticality Power Flow Outputs

Sample results from a generation resource Risk-Based Assessment are shown in Tables 2 and 3. The
Change Case shown in each table refers to the case where the test asset under consideration is taken
out of service.
Table2:ImpactofSampleGenerationPlantonNodalVoltages,LineandTransformerContingencies
SummerPeak
MonitoredBus
3
ContingentFacility
Base
CasePU
Voltage
ChangeCase
PUVoltage
Difference
4

230kVSTLUCIE LineSABAL230.0toGATLIN230.0Ckt1 105.07% 105.13% 0.06%
230kVSABAL LineSABAL230.0toGATLIN230.0Ckt1 105.21% 105.27% 0.06%
230kVMIDWAY LineSABAL230.0toGATLIN230.0Ckt1 105.31% 105.37% 0.06%
230kVPEACOCK LineSABAL230.0toGATLIN230.0Ckt1 105.25% 105.31% 0.06%
230kVSTCEAST LineHOLOPAW230.0toSTCEAST230.0Ckt1 92.91% 92.85% 0.06%
230kVSTCSOU LineHOLOPAW230.0toSTCEAST230.0Ckt1 93.07% 93.01% 0.06%
230kVMYAKKA LineLAURELWD230.0toAUBURN230.0Ckt1 93.51% 93.46% 0.05%
230kVAUBURN LineLAURELWD230.0toAUBURN230.0Ckt1 93.03% 92.98% 0.05%
230kVGRANADA LineLAURELWD230.0toAUBURN230.0Ckt1 93.21% 93.17% 0.04%
230kVEMERSON LineBREVARD230.0toMALABAR230.0Ckt2 105.23% 105.26% 0.03%
500kVPOINSETT LineSABAL230.0toGATLIN230.0Ckt1 105.50% 105.53% 0.03%
230kVCORTEZ LineJOHNSON230.0toCORTEZ230.0Ckt1 93.91% 93.88% 0.03%
500kVMARTIN LineSABAL230.0toGATLIN230.0Ckt1 105.42% 105.45% 0.03%

Table3:ImpactofSampleGenerationPlantonLineLoadings,LineandTransformerContingencies
SummerPeak
MonitoredFacility
5
ContingentFacility
Base
Case
Loading
Change
Case
Loading
Difference
6

230kVFTMEADEtoWLKWALELineCkt1 LineHINES230.0toWLKWALE230.0Ckt1 83.3% 84.9% 1.61%
230kVRINGLINGtoPOLOLineCkt1 LineLAURELWD230.0toPANACEA230.0Ckt1 80.6% 81.6% 0.92%
230kVFRTVILLEtoRINGLINGLineCkt1 LineRINGLING230.0toPOLO230.0Ckt1 82.9% 83.5% 0.60%
500/230kVBRDGDUMtoBRKRIDGEXfmrCkt1 LineCENTFLA500.0toCRYSTRV500.0Ckt1 89.8% 90.3% 0.55%
500/230kVCENTDM2toCENTFLAXfmrCkt1 LineCENTFLA500.0toCENTDUM500.0Ckt1 121.1% 121.6% 0.42%
230kVFRTVILLEtoPROCTORLineCkt1 LineLAURELWD230.0toRINGLING230.0Ckt2 83.3% 83.8% 0.42%
500/230kVCENTDUMtoCENTFLAXfmrCkt1 LineCENTFLA500.0toCENTDM2500.0Ckt1 115.7% 116.1% 0.40%
230kVMANATEEtoRINGLINGLineCkt3 LineJOHNSON230.0toRYE230.0Ckt1 89.9% 90.2% 0.32%
230kVCRPLANTtoHOLDERLineCkt1 LineCRPLANT230.0toHOLDER230.0Ckt2 81.6% 81.9% 0.31%
230kVCRPLANTtoHOLDERLineCkt2 LineCRPLANT230.0toHOLDER230.0Ckt1 81.6% 81.9% 0.31%
230kVMANATEEtoRYELineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 91.9% 92.2% 0.31%
230kVJOHNSONtoRYELineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 88.9% 89.2% 0.31%
230kVPARRISHtoBUFFALO_CRKLineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 82.3% 82.6% 0.30%

3
The table shows the contingency causing the greatest difference in voltage from the Base Case to the Change Case for each
monitored bus.
4
Differences greater than 0.02% are shown.
5
The table shows the contingency causing the greatest difference in loading from the Base Case to the Change Case for each
monitored element.
6
Differences greater than 0.1% are shown.

www.icfi.com/energy 10
Dynamic Studies for Frequency Response and Criticality

The NERC guideline for assessment of criticality of transmission and generation resources suggests the
use of engineering analysis to study the frequency response of the loss of the asset and possible stability
issues. This can be accomplished using a dynamic analysis of the power system. The dynamic power-
flow analysis is an engineering study that can be used to determine the impact of an outside party, like an
intruder, controlling generation or transmission assets. This kind of an analysis would typically be required
for assets that are located in a load pocket or in a major interface point of the transmission system that is
frequently congested.

In the dynamic analysis, the time-domain response of the power system for a specified set of conditions,
which could include the loss of the test generation or transmission asset or possible misuse of assets,
would be studied for a specified time-frame. Typically, the frequency and voltage in the system are the
best indicators of system conditions over time and any abnormalities on these parameters would indicate
other potential issues.

Figure 4 is a dynamic plot that shows the time variation of several parameters like frequency, bus
voltages, and generator angles as an example to illustrate the nature of such analyses. In this example,
the variation of these system parameters for a disturbance on the transmission network is shown. This
type of dynamic study is also consistent with recent industry discussion regarding the potential use and
misuse of the generation assets.
Figure4:SampleDynamicPlotshowingthevariationofSystemVoltage(Blueline)andother
significantpowersystemparametersforasystemdisturbanceattimet=1second


www.icfi.com/energy 11
Conclusion

The CA Guideline has been issued to provide the industry with new direction to comply with the Critical
Infrastructure Protection Standards and in the identification of Critical Assets. Compliance starts with the
development and application of a Risk Based Assessment Methodology to determine if Critical Assets
exist. Engineering assessments that analyze the impact of an asset under varying conditions should
serve as the reasonable basis for the determining the extent to which an assets supports the reliable
operation of the Bulk Electric System.

Ensuring BES reliability and protecting the nations power grid infrastructure from any potential
(intentional or unintentional) physical and cyber attack is one of the top priorities of the government and a
number of regulatory agencies.

Similar to any other mandatory policy or provisions, the NERC CIP standards will continue to evolve over
the next few years. The recent Concept Paper: "Categorizing Cyber Systems, An Approach Based on
BES Reliability Functions"is a clear indication of the changes to come.

NERC recognizes that to meet the intent of the CIP standards utilities need to take additional steps that
require time, money and often special expertise. As a result NERC has worked with the industry and
submitted to the Commission a set of parameters for Technical Feasibility Exceptions (TFE). The TFE
allows a Responsible Entity to obtain a written approval from the appropriate regulatory body to achieve a
comparable level of security to the particular requirement(s) at issue while working on a remediation plan
and timeline to eliminate the exception.

The implications of a compromised system can result in severe consequences. National security
implications and the social costs of an outage are certainly far reaching but a companys reputation and
financial standing are also at stake in consideration of FERCs maximum penalty of up to 1 million dollar
per day, per event. For many reasons, the power industry must continue to take the steps needed to
implement cyber security measures to safeguard its assets and operations.

ICF continues to support the Electric Power Industry in various areas of NERC Standards Compliance,
Transmission Modeling and Cyber Security.

For more information, contact:

o J immy Glotfelty 713-445-2002, jglotfelty@icfi.com
o Farzaneh Tafreshi 703- 934-3447, ftafreshi@icfi.com
o Ken Collison - 703-934-3806, kcollison@icfi.com
o Kiran Kumaraswamy - 703-934-3623, kkumaraswamy@icfi.com

This report was prepared by ICF Resources, LLC ("ICF").
COPYRIGHT 2009 ICF Resources, LLC All rights reserved.