NERC Subscription Services Article

High Impact, Low Frequency Events

Summary of the Joint NERC/DOE Workshop
June 10, 2010

Impacted Functional Entities CIP-TBD-X Critical Infrastructure Protection

Balancing Authority COM-TBD-X Communications

Generator Owner EOP-TBD-X Emergency Preparedness and

Generator Operator Operations

Interchange Authority FAC-TBD-X Facilities Design, Connections, and

Load Serving Entity Maintenance

Planning Coordinator IRO-TBD-X Interconnection Reliability Operations

Reliability Coordinator and Coordination

Regional Entity PER-TBD-X Personnel Performance, Training, and

Transmission Owner Qualifications

Transmission Operator TOP-TBD-X Transmission Operations

Transmission Planner TPL-TBD-X Transmission Planning

Transmission Service Provider
Impacted Regions

FRCC
Snapshot of Joint NERC/DOE Workshop Summary Report
MRO
• Captures risks, mitigations, and recommendations from the
NPCC
Nov-09 workshop jointly conducted by NERC and the DOE.
RFC
• Covers three categories of high-impact, low-frequency events
SERC
addressed by industry and government experts . 1
SPP
o Coordinated wide-scale cyber and physical attacks on
TRE
BES weak points.
WECC
o Loss of trained workers and critical personnel as a result of a pandemic.
o Equipment and system damage caused by geomagnetic disturbances (solar
storms) and electromagnetic pulses (EMP) from nuclear weapons.
• Could drive modifications to existing Standards addressing cyber/physical security
(CIP), geomagnetic disturbances (IRO), emergency operations/communications
(COM, EOP, IRO, TOP), operator training (PER), and BES architecture (FAC, TPL).
• Recommends fourteen actions to prepare for high-impact, low-frequency events.
Common themes across all categories include the following:
o Facilitate the transfer of sensitive information from government agencies
prior to and during an incident so that the industry can react appropriately.
o Develop more effective analytic tools which simulate the impact of high-
impact, low-frequency events on the BES. Tools which alert System
Operators to such conditions and verify restoration are also necessary.
o Create and regularly validate associated response plans which include pre-
determined alert levels and a common lexicon to use.
• The joint NERC/DOE workshop summary report was issued on June 2, 2010 to
industry stakeholders. No timeframe has been set at this point for the
formation of NERC Projects to implement its recommendations.

1Included representatives from US Departments of Homeland Security, Defense, Health and Human
Services, the EMP Commission, and Congressional Staff

© 2010 The Energy Group of America. All rights reserved. Page 1 of 5

Impacts and Recommended Actions

Clients should engage the appropriate design, planning, and operations Subject Matter Experts
to carefully review the detailed write up on the November 2009 high-impact, low-frequency
event risk workshop on the following pages. Although the recommendations have not yet
been incorporated in the NERC Standards development process, there are tools, processes,
and training under consideration that could ultimately require significant time and
expenditures on your part.

Refer your Subject Matter Experts to the summary report issued jointly by NERC and the DOE
on 6/2/102 for the underlying technical and logistical basis of the recommendations.
Although quite extensive, the perspective provided by the governmental bodies responsible
for continent-wide health and security is worth understanding. The Executive Summary
provides a good overview of the workshop output and is not quite as technical.

Consider how the workshop recommendations can be incorporated into your existing security,
emergency operations, personnel, and system design functions. Some NERC Projects are
already driving related modifications to Standards (e.g.; CIP-011-1, COM-003-1), but there
are other recommendations that have not been addressed. If hooks are built into tools,
methodologies, and processes associated with high-impact, low-frequency events early on,
it will make future updates easier.

Compliance managers should begin to consider how to incorporate documentation updates,

evidence collection, and reporting associated with this program into your compliance
program. Automated collection and summarization of BES performance, availability of
tools, facilities maintenance, and operator logs should be considered. Such automation will
prove useful for your existing compliance program and simplify future modifications.

Be aware that the engagement of government entities associated with national security and
public health will require the establishment of new lines of communication. Personnel with
“need-to-know” access to sensitive information have to be identified, coordinated processes
and training exercises will need to be developed, and real-time operations contacts must be
on-hand. It is not clear how much of this effort will be communicated down to the working
level – think of the disconnect created by CIP-001-1 R4 concerning engagement of a local
FBI contact in the event of sabotage.

In cases where there is a large vested interest in tools, methodologies, and operational
processes, Clients may want to consider joining the Standards Development Team when
nominations are requested by NERC. Although this is a significant commitment, there will
be opportunities to directly influence the extent of the modifications proposed by the joint
NERC/DOE workshop.

The Energy Group will be glad to assist you as you assess your existing capabilities to address high-
impact, low-frequency events. The consulting hours that are a part of your NERC Subscription
Services can be used for this purpose. If this or any other related activity is of interest, just send
us an email at NERCSubscription@energygrp.com or call our office at 407.293.8870 x260.

2 http://www.nerc.com/files/HILF.pdf

© 2010 The Energy Group of America. All rights reserved. Page 2 of 5

 Joint NERC/DOE Workshop Summary Report Detail
On November 9-10, a closed session workshop was conducted in Washington DC to address
high-impact, low-frequency events. The workshop was conducted jointly by NERC and the
DOE and included representatives from government agencies and the industry. These types
of events have the potential to catastrophically impact the Bulk Electric System, but rarely
occur, or have not yet occurred. With real-world examples of the ruinous impact of natural
disasters and terrorist acts, policy makers and business managers have taken a renewed
interest in these risks across a number of critical industries. The electric sector has been
identified as a prime concern as it is a fundamental building block of our modern-day
civilization, and if disabled, could lead to civil unrest in a very short time period.

The workshop participants were divided into three groups, each tasked to recommend
actions to mitigate a category of high-impact, low-frequency events – coordinated
cyber/physical attacks, pandemic, and natural and human-generated electromagnetic
pulses. These recommendations were to be specific to the planning and operation of the
Bulk Electric System, although they are expected to be applied to other industries as well.
The participants were sensitized to the reality that the electric industry is already dealing
with other high priority reliability issues and that the cost/benefit tradeoff of each
recommendation had to be carefully considered.

With the advent of powerful telecommunications and

computer technologies, the BES has become more flexible and
powerful, but has also incurred new vulnerabilities. Even as
it continues to transform to meet increased demand, reduce
costs (smart grid), and address legislative priorities (more
renewables) – key functions and personnel are becoming
more concentrated. Real-life examples of wide-area power
outages caused by a high-impact, low-frequency event – the
1989 geomagnetic storm in Quebec comes to mind– already
have exposed these vulnerabilities. In addition, other
industries have experienced massive network failure due to cyber
1989 Geomagnetic Storm attacks by hostile groups and governments. Lastly, even the
– View from the Ground relatively mild 2009 A/H1N1 outbreak led to wide-spread workforce
disruptions as people stayed home to avoid contagion.

All these high-impact, low-frequency events had common characteristics which make them
are uniquely difficult to mitigate. First, they are externally driven by events out of the
control of industry participants, whether an act of nature or of humans. This precludes the
2003 blackout in the Northeast US and Canada, which could have been preempted through
proper vegetation management. However, no amount of industry preparation can prevent
the occurrence of a pandemic or the explosion of a nuclear device by a hostile force. Second,
high-impact, low-frequency events can occur with little warning and reach maximum
impact in a matter of minutes or even seconds. Lastly, it is difficult to develop processes,
training, and tools to mitigate such events as they rarely occur – and are adaptive in the case
of pandemics and human-driven crises. This means past events hold little correlation to
future risks.

The final summary report issued by the workshop sponsors recommends fourteen actions
that the electric industry and invested governmental agencies should take in order to

© 2010 The Energy Group of America. All rights reserved. Page 3 of 5

 prepare for high-impact low frequency events. Although many of the actions are specific to
the category of risk, our review identified three common themes. First, linkages must be
established between the appropriate governmental agencies and the industry to facilitate
the transfer of sensitive information prior to and during an incident. This presents a risk
that the methods used and personnel who collect such information could be compromised.
Although the Departments of Defense and Homeland Security may be naturally reluctant to
pass on their knowledge of an event, some accommodation must be made in order for
industry participants to properly respond. Correspondingly, it is likely that industry
participants will be required to indentify critical vulnerabilities within their systems to their
governmental counterparts – which will not be easy to do either. A redacted example of a
recommended action is provided below with commentary.
This provides a sense of the extent of
Proposal for Action involvement by government and
GMD/EMP 1 industry stakeholders.

NERC, working with its stakeholders, the U.S. DOE, and appropriate government authorities
in Canada should create a task force of industry, equipment manufacturers, and risk experts to
evaluate and prioritize mitigation and restoration options for Geomagnetic Disturbances
(GMD), High-altitude Electromagnetic Pulse (HEMP) events, and Intentional
Electromagnetic Interference (IEMI) threats, while recognizing the similarities and
differences of these three severe electromagnetic threats. Focus should be given to identifying
the prioritized “top ten” mitigation steps that are cost-effective and sufficient to protect the
power system from widespread catastrophic damage due to each of these threats. The task
force should consider the options and concepts discussed in this workshop report, including:
• Define the protection environment for each of the electromagnetic threats, considering
Identification of the work recently completed by the U.S. Commission to Assess the Threat to the
cross-sector United States from Electromagnetic Pulse (EMP) Attack (U.S. EMP Commission), the
dependencies National Academy of Sciences, FERC and the Federal Emergency Management
and the Agency (FEMA).
establishment of • Identify the primary interdependencies with the other critical infrastructures that will
communications impact restoration and reconstitution, with focus on telecommunications and fuel
linkages will be a supply and delivery. Encourage cross-sector coordination to ensure the response of
challenge. these assets to a GMD or HEMP attack is understood and that appropriate protections
are put in place.

The second common premise is that planning and operations tools which address high-
impact, low-frequency events must be developed and deployed. This begins with analytic
tools which simulate the change in conditions on the BES that would result from a sudden,
fast-moving external stimulus. For example, high voltage transformers, which can be
irreparably damaged by electromagnetic pulses, may be pre-identified and protections
devised accordingly. Tools which monitor and alert System Operators to high-impact, low-
frequency eventualities are also required. These will need to provide information to
appropriately assess a condition and validate restorative actions – and may even take
mitigating measures under certain circumstances. One could visualize that this may be
appropriate in the case of a cyber attack that is constantly adapting to protective responses.

Third, response plans that address high-impact, low-frequency events will need to be
created and regularly validated. These plans will necessarily identify the communication
pathways to the appropriate government agencies, pre-determined alert levels and a
common lexicon to use. Some level of ongoing training, certification, and simulations will be

© 2010 The Energy Group of America. All rights reserved. Page 4 of 5

required in order to assure preparedness. For example, during a pandemic, key personnel
may be given priority access to vaccines and allowed unrestricted travel. However, since
the last serious pandemic in North America was in 1918, it is of key concern that the proper
actions will be taken in the unfortunate case that another one occurs.

There are a number of linkages between the existing body of NERC Standards/Projects and
the workshop recommendations. Some like the Critical Infrastructure Protection (CIP)
Standards are directly applicable – although modifications to account for
coordinated physical and cyber attacks are necessary. COM-003-1,
presently under development, already establishes a common lexicon and
alert levels for System Operators under emergency conditions; and
NERC’s Continuing Education (CECD) program establishes baseline
training by function. We believe that the EOP, FAC, IRO, and TPL
Standards and associated Projects can accommodate a number of
recommendations without major structural changes. Lastly, and perhaps
most importantly, Project 2009-02 “Real-time Reliability Monitoring and
Analysis Capabilities” has begun to develop a framework for BES planning
and operations tools which is similar to the workshop proposals3.

Other recommendations will be harder to address. The identification of

Reliability Standards and requirements which can be temporarily
Poster - 1918 Pandemic
suspended during a pandemic (due to unavailable personnel) has no
obvious corollary. An industry-wide inventory of critical, long lead-time components makes
sense, but is difficult to assemble and maintain. It is not clear who will implement
recommendations to establish ongoing linkages to academia, software tool developers, and
think-tanks to introduce technologies and techniques that mitigate high-impact, low-
frequency events and identify new ones.

Lastly, the execution of the intent of the recommendations at the working level is heavily
dependent on the proper dissemination of information from higher up. The electric
industry experience with engaging the local FBI or RCMP office in the event of sabotage
reflects what can happen if not previously communicated downwards. Although adherence
to CIP-001-1 R4 is auditable and industry stakeholders can be subject to fines if not
compliant, many of our Clients were referred to local state and county authorities –
undermining its intent.

Although it is very early in the planning phase, the governmental agencies involved,
including FERC, are highly motivated to move quickly on the workshop’s recommendations.
In addition, industry participants need only look at regulator responses to high-impact
events (think 2003 blackout) to perceive that such incidents are to be avoided. In addition,
regulator assessments often include political considerations, which may or may not be
subject to modification by the industry. It is always best to engage in these programs early
on if possible to get your voice heard – before they are mandated from on-high.

Clients may find further information on the summary report authored by the joint
NERC/DOE team concerning high-impact, low-frequency events at the NERC website at
http://www.nerc.com/files/HILF.pdf.

3 See our related NERC Subscription Services Article dated 6/3/2010

© 2010 The Energy Group of America. All rights reserved. Page 5 of 5