Transcription
SPRING2013WINTER2021NERC PRC-027-1OVERVIEW ANDIMPLEMENTATIONTURNING THE CORNER ONCYBER-SECURE PROTECTIONTESTING PAGE XXWHAT IS THIS NERC? PAGE XXQUICK GUIDE TO DISCHARGETESTING PAGE XXIS S N 21 6 7 -35 9 4 N ETA WO R LD J O UR N A L PR I N TIS S N 21 6 7 -35 8 6 N ETA WO R LD J O UR N A L O N LI N E
FEATURETURNING THE CORNER ONCYBER-SECUREPROTECTIONTESTINGB Y B RYA N GW YN , S A GAR SING AM , an d J OE ST EV ENSON,Doble Engineering CompanyMatters of NERC PRC and NERC CIP compliance intersect duringprotection system testing on substation networks. In the modern regulatoryenvironment, the benefits of computer-based relaying are challengedby the costs of cyber security and disrupted or insufficient relay testingpractices. The way forward demands interconnected data and the abilityto track critical metrics automatically. Organizations can modernize whileensuring compliance readiness by implementing systems that integrateprotection and cyber domains into scalable management platforms.Electric power utilities that operate bulkelectric system (BES) generation andtransmission facilities confront more challengesthan ever before. The stakes surroundingsystem reliability have never been higher,and the pressure on workers — especially2 WINTER 2021protection and control (P&C) and informationtechnology (IT) personnel — is tremendous.Every turn in the modern utility workenvironment is seeing demands to modernizeand deploy re-envisioned operations thatTURNING THE CORNER ON CYBER-SECURE PROTECTION TESTING
FEATUREPHOTO: ISTOCKPHOTO.COM/PORTFOLIO/DKOSIGrely heavily on automation. Devising newphilosophies and practices at a time whenthe grid is undergoing rapid power deliverytransformations and cyber attacks are pervasivecan significantly disrupt and overload theworkforce.Personnel in P&C and IT areas of utilityoperations perform work that directly affectssystem reliability. Despite evolving powersystem conditions and increased defensesagainst cyber threats, they must maintainstability with existing systems while plottingnext steps to keep pace with advancingtechnologies. On top of it all, they face uniqueresponsibilities concerning mandates thatare enforced by the North American ElectricReliability Corporation (NERC).CO M P L IA NC ENERC Critical Infrastructure Protection(CIP) refers to a set of requirements thatbind utilities to the protection, security, andmaintenance of computer infrastructures thataffect BES reliability. NERC CIP standardsspecify measures utilities must abide by todefend devices, software, and data against cyberthreats. Twelve CIP standards are presentlysubject to enforcement, and some of themare being revised while new ones are beingproposed for future enforcement.NERC Protection and Control (PRC)standards require proof that elements affectingthe reliability of protection and control systemsamong BES facilities are being addressed byutility engineering and maintenance processes.NERC PRC standards confront orthodoxywithin P&C operations by expressly statingthe metrics that are expected and the timethat is allowed for attaining them. Some PRCstandards allow alternatives to time limits ifevidence can be presented that substantiatesthe necessary criteria. There are nineteenTURNING THE CORNER ON CYBER-SECURE PROTECTION TESTINGNETAWORLD 3
FEATUREenforceable PRC standards, and as with CIPstandards, there are PRC standards that arepresently being revised and new ones that arebeing drafted.NERC PRC-005, Protection System, AutomaticReclosing, and Sudden Pressure RelayingMaintenance if used on BES facilities.Microprocessor-based relays are multifunction, networked devices that ersions and algorithmic protection,automation, communication, and controlprocesses. Microprocessor relays havesoftware from their respective manufacturersthat is used to program the devices. Thefiles produced by the manufacturers’software contain settings data in differentproprietary formats. Test technicianswho commission microprocessor relays and thosePersonnel who engineerwho perform periodicand test protection sysP&C PERSONNEL WHOmaintenance testing ontems cannot do their workPREVIOUSLY FACEDthem deal with hundredswithout company-issuedor even thousands of setcomputers installed withLIMITED, IF ANY, COMPANYtings not to mention logicauthorized software appliOVERSIGHT OF THEIR WORKparameters that must alsocations. It is not uncomCOMPUTERS NOW OPERATEbe verified.mon for P&C personnelto use dozens of softwareUNDER MUCH MOREPurely digital relays —applications given the nuSCRUTINY AND CONTROL.intelligent electronic demerous device types andvices (IEDs) — are muldata formats in play. Contifunction, algorithmic,sequently, security patchesprotection and controland software updates needdevices that have propried for P&C software applietary configuration softcations can overwhelm ITware, though additionalsupport staff. Safeguards inprogramming steps areplace for CIP compliancenecessary. IEDs must becan impede P&C workersset to respond properly to digital signals beingwho face PRC compliance deadlines. Regardemitted by other IEDs in substation networkless, NERC-mandated requirements must beinfrastructures. In protection and controlcompleted on time, and thorough documensystems based on the IEC 61850 standard,tation must be kept that could be needed asIEDs process digital signals containingevidence for compliance audits.power system quantities and inter-deviceR E LAYScommunication streams in separate processA significant number of electromechanicalbus (protection system) and station busrelays are still used and usually have their own(control system) networks. IED programmingset of engineering and testing files, recordsinvolves not just the device itself, but alsowarehousing, test materials, and maintenancethe configurations of other IEDs and evenpractices. Electromechanical relays are singlethe process bus and station bus networks asfunction analog protective devices that requirea whole. The devices are nodes of substationcalibration during maintenance; they fall undernetworks.NERC compliance means different things toIT and P&C teams, though cyber security andprotection system reliability are interrelatedsubjects with evolving technical and regulatoryresponsibilities. CIP mandates affect PRCmandates and vice versa, and P&C teamsand IT resources who support them are bothaffected by the complexities of dealing withvarious data from utility electronics andelectrical equipment.4 WINTER 2021TURNING THE CORNER ON CYBER-SECURE PROTECTION TESTING
FEATUREInteractions Affecting PRC and CIP ComplianceNERC PRC-027 Coordination &PRC-004 Misoperations Power System DataSetting CalculationsCoordination StudiesCommunication with ConnectedEntitiesNERC PRC 005Maintenace Deploy Settings and Patches Track Intervals and ResultsNERC CIP-007 SystemSecurityPower System Model Security Patch ManagementNERC CIP-010 ChangeManagement andVulnerability Assessments Maintain Cyber Asset Security Maintain Transient Cyber AssetsNERC CIP-013Supply Chain Risk Supply Chain SecurityGovernanceFigure 1: Complying with NERC PRC and NERC CIP standards introduces complexities in utility operations.Microprocessor-based relays and IEDs used onBES facilities come under both PRC and CIPcompliance mandates. As devices that affectthe reliability of protection systems on BESfacilities, they must be tested within requiredtime intervals. As computers on BES facilities,they are considered cyber assets and addedcare must be taken during testing to preventmalware incursions into substation networks.Protection system device testing requiresspecialized electrical equipment that usuallyis paired with control software provided bythe respective test instrument manufacturer,although stand-alone protection test softwarealso exists in the power industry marketplace.P&C departments might have designatedpersonnel who specialize in testing certainrelays, or they might have crews equallycapable of testing across relay types. Theymight perform automated tests with certainrelays and manual tests with others. Theycould outsource testing if in-house resourcesare too few or are inexperienced, or perhapsif they lack the necessary test instruments. Inany event, they are responsible for compliancewith NERC PRC and CIP standards as wellas maintaining test records as evidence forcompliance audits.Protection system engineers use softwaretools that compute relay protection settingsfrom configured power system models. Relaysettings and configuration data are usuallymanaged in various mediums from scanneddocuments to spreadsheets and databases torelay manufacturers’ proprietary software files,although protection system asset managementsoftware is available commercially. The settingsrecords of relays on BES facilities are subjectto both PRC and CIP standards; BES relaysettings must be verified on the actual devices,and settings data can only be applied to devicesin secured computer-to-device exchanges.Network topologies that are home to today’sprotection and control systems are managedby operational technology (OT) personnelin concert with IT departments that haveenterprise cyber security top-of-mind. P&Cpersonnel who previously faced limited, if any,company oversight of their work computersnow operate under much more scrutiny andcontrol. The systems and applications theyuse must be secured and maintained centrallythrough OT/IT, which invites challenges toongoing support of older products and slowsthe adoption of the latest-and-greatest toolspersonnel might need.TURNING THE CORNER ON CYBER-SECURE PROTECTION TESTINGNETAWORLD 5
FEATUREC OM P LIANC EIn essence, PRC compliance and CIPcompliance are tightly integrated partsof overall NERC compliance programs.Although separately enforceable, they aremutually consequential. Utility complianceofficers identify, track, and report on NERCmandated elements within these standards butmay not realize or plan for how the mandatesimpact workers. A best practice is proactivecoordination between compliance officersand subject matter experts from OT/IT andP&C areas of the organization. Complianceprogram success is influenced greatly by theinvolvement of stakeholders who can reveal thecomplications endemic to cyber security whenit comes to routine protection engineering andtesting responsibilities.Utility information systems can be separatedby functional areas. For example, compliancemanagement systems in the domain ofcompliance officers are separate from cybersecurity management systems that reside withIT. Protection system models and relay settingsdata are managed by protection engineers,whereas information about protection testingis found on field computers and shared drivesor in filing cabinets.For compliance program strategies tobe effective, utilities need central data,information, and workflow management.OT/IT and P&C areas can become taskedwith refining and expanding existing in-housesystems. Where there are limits, workaroundsare devised. Commercial software productsthat are used become integrated as far aspossible, but varied data formats and diversework processes within P&C cause gaps thatin-house central management approaches don’tovercome.Many utilities use commercially availablecentral management software that canconsolidate, standardize, and integrate cybersecurity, protection engineering, protectiontesting, and compliance. Ultimately, thesesystems ensure cyber-secure transactions ofcritical data in mediums that do not hinder6 WINTER 2021worker efficiency, even if workers have differentneeds and come from separate functional areas.TRACKI NG ANDREPORTI NGWith effective central management of cyberassets and P&C work details, complianceofficers have visibility of numerousinterconnections between processes andindividual CIP and PRC standards. Havingsuch visibility proves invaluable when plottingwork steps for teams to follow. For instance,consolidated information about CIP andPRC mandates can enable compliance teamsto focus on priorities (the mandates) andoffload tracking and reporting functions tothe software systems’ automated managementfunctions. Analytical tools can provide crucialinsights about compliance-related activities andthe effects they have on reliability.For example, PRC-004, Protection SystemMisoperation Identification and Correctionrequires utilities to formalize proceduressurrounding the identification and correctionof unforeseen or unexpected protection systemoperations. Faulty test practices and incorrectlyapplied relay settings are two main causesof relay failures, and NERC mandates thatutilities track how they investigate and resolvemistakes within their operations.NERC PRC-004 tracking could exposeone additional factor that leads to relaymisoperations: overdue maintenance testing.Another standard, PRC-005, Transmission andGeneration Protection System Maintenance andTesting requires utilities to provide evidence thatrelays and other protection system componentsare tested in regular maintenance intervals.Auditors want to see that utilities have viableprotection system maintenance programs tothe extent that they have the capacity to reachall BES protection system facilities and testingand calibration is accomplished by requireddeadlines.MI SOPERATI ONSBut what if protection system misoperationsresult from relay settings that weren’t correct inTURNING THE CORNER ON CYBER-SECURE PROTECTION TESTING
FEATUREthe first place? Another NERC PRC standard,PRC-027, Coordination of Protection Systemsfor Performance During Faults came intoeffect April 1, 2021, and addresses that issueby mandating periodic settings reviews andprotection system coordination studies.The new requirementsaffect protection engineerswho must produce evidenceof a formal process theyadhere to when developingsettings. Under PRC-027,protection engineers mustalso revisit system models,recalculate all protectionsettings values, and recoordinate protectionschemes.settings may become invalid as changes infault currents occur. These changes may bedue to changes in the power system such aschanging power system characteristics as aresult of significant additions of inverterbased renewables coming online that canaffect protection systemoperability on the BES.NERC wants utilitiesWITH EFFECTIVE CENTRALto enact processes toMANAGEMENT OF CYBERproactively find incorrectrelay settings, correct them,ASSETS AND P&C WORKand communicate correctDETAILS, COMPLIANCEsettings information toOFFICERS HAVE VISIBILITYaffected entities in a timelyTO NUMEROUSmanner.INTERCONNECTIONSPRC-027 Requirement 2(R2) concerns protectionINDIVIDUAL CIP AND PRCsystem coordination.PRC-027 brings intoUnder R2, protectionSTANDARDS.focus the accuracy ofengineers must verify thatprotection settings overcoordination studies aretime. Requirement 1 (R1)performed on the affectedof the standard concernsprotection systems anythe accuracy of the originaltime there have beenpower system modelssignificant changes to theupon which protectionBES. Similar to R1, ifsettings are first calculated.any settings changes ariseThe settings that go into service in protectionfrom coordination studies being performed,schemes are only as good as the data in powerprotection engineers must contact any affectedsystem models. For this reason, PRC-027electrically joined utilities and communicateR1 mandates that power system models arethe new settings information to ensure allreviewed and updated.protection systems in that area are coordinatedproperly for handling power system faults.Another part of R1 concerns review ofprotection system settings. Protection engineersConcerning the communication to neighboringmust periodically revisit the settings forutilities of settings change information, R1accuracy, but also to ensure that neighboring,and R2 are not completed until there iselectrically joined utilities have settings ondocumentation that the communication tookrecord that coordinate with one another, suchplace. Further, the matter of settings changesthat protection systems operate in the intendedon electrically joined BES facilities isn’t a onesequence during faults. Settings verificationsand-done situation; both entities remain inbetween affected utilities is a two-way street,consultation with one another back-and-forthand both share responsibilities under this PRCuntil their respective peer-reviewed coordination027 requirement.studies can validate the settings are accuratewithin the given schemes involved. Both entitiesWhy is this necessary? Because power systemsmust agree and sign off to this effect, which ischange over time. With the PRC-027 standard,the documentation NERC auditors want to seeNERC addresses the likelihood that protectionprovided with PRC-027 evidence.BETWEEN PROCESSES ANDTURNING THE CORNER ON CYBER-SECURE PROTECTION TESTINGNETAWORLD 7
FEATUREDOC UM E NTAT IONNERC standards PRC-004, PRC-005, andPRC-027 are just three examples of standardsthat affect protection engineers and relaytesting crews by requiring documented proofthat activities are performed as mandated.The documentation these standards requirecan come from the same data source ifa robust central management system isimplemented that tracks lifecycle relay testdetails, maintenance intervals, relay settingsand configuration changes, and associatedwork assignments. Many other NERC PRCstandards impact protection engineers that alsorequire evidence of compliance.Protecting PRC compliance data and enablingautomation while P&C teams do their workis possible with commercially available centralmanagement software. However, softwareautomation depends on the human element.OT/IT teams need to be aware of processesand procedures P&C teams have in theircompliance responsibilities. Conversely,P&C workers need to accept their roles andresponsibilities in cyber security.Implementing a central management systemthat supports PRC compliance reporting andoffice-to-field workflows takes a consultativeprocess involving company stakeholders andthe software vendor. A quality supplier willhave a proven track record with many installedutility customers. The ideal supplier will offerconfigurable software and a detailed statementof work (SOW) that is clear and captures thefull scope of the implementation project. Thesystem must comply seamlessly with institutedcyber security measures and offer powerfuladministrative controls over user accessprivileges.C YB E R ATTAC KSUnrelenting cyber attacks on utility computernetworks have increased concerns of adaptivemeasures cyber criminals will take to achievetheir objectives. NERC CIP standardschallenge utility cyber security programs toelevate their defenses by reducing their threatvectors.8 WINTER 2021NERC CIP-013, Supply Chain Risk Managementin particular mandates that utilities have securitycontrols concerning computer software andhardware products being procured. At issueare cyber threats that may be posed to theBES if the products are compromised comingfrom the vendor. CIP-013 requires proactivecommunication from vendors if cyber securityrisks are determined in products sold to utilities,and utilities must coordinate risk managementplans in their supply chain procurementprocesses to prevent onboarding products thatcould pose cyber security risks.NERC CIP-010, Configuration ChangeManagement and Vulnerability Assessments existsto prevent unauthorized changes on BES cybersystems by external intruders. Utilities mustdetermine and address vulnerabilities beforehackers have the opportunity to exploit themfor nefarious purposes.CIP-010 requires vulnerability assessmentsevery 36 months that look for gaps in andassess the effectiveness of preventive measuresagainst malicious cyber attacks. One measurethat can prevent hackers from accessing cybersystems is maintaining up-to-date securitypatches. Unpatched software allows hackersto run malicious code by using a known,unpatched security bug, and so cyber hackersalways try to exploit unpatched systems.As part of vulnerability assessments underCIP-010, utilities must produce evidence thatthey have reviewed installed patches, that theyhave a security patch review and mitigationprocess, and that they have processes forother cyber security vulnerability mitigationsconcerning software and software patches oncyber assets.Requirement 4 (R4) of CIP-010 requiresutilities to deploy transient cyber asset(TCA) computers for workers to use whenconnecting to cyber assets like microprocessorbased protective relays. Having securedTCAs prevents the possibility of malwarebeing introduced onto cyber assets duringmaintenance.TURNING THE CORNER ON CYBER-SECURE PROTECTION TESTING
FEATUREInteractions Affecting PRC and CIP ComplianceNERC PRC-027 Coordination &PRC-004 Misoperations Power System DataSetting CalculationsCoordination StudiesCommunication with ConnectedEntitiesNERC PRC 005Maintenace Deploy Settings and Patches Track Intervals and ResultsNERC CIP-007 SystemSecurityPower System Model Security Patch ManagementNERC CIP-010 ChangeManagement andVulnerability Assessments Maintain Cyber Asset Security Maintain Transient Cyber AssetsNERC CIP-013Supply Chain Risk Supply Chain SecurityGovernanceCentral Management Plan Secure, expandable data warehousing that supportssystem protection and cyber security Non-disruptive processes and workflow controls Transparent engineering, maintenance, and compliancecoordination Automated trending, analysis, messaging, and reportingfunctionsFigure 2: Integrated data and workflow processes supported by a central management platform ensure efficient NERC PRCand NERC CIP compliance.Taken together, the requirements of CIP-010impact OT/IT workers who must supportsecurity patching for a multitude of P&Csoftware applications and manage thoseupdates on TCAs across their organization.Baseline configurations of all cyber assetscomprising cyber systems must be monitoredand vulnerability assessments must beperformed every 36 months to detect anymeans by which unauthorized changes to BEScyber assets could occur.NERC CIP-007, Systems Security Managementrequires a process for assessing, tracking,and installing cyber security patches on BEScyber assets. Utilities must operate theirpatch management process every 35 days toavoid non-compliance penalties. Given thehigh volume of devices and applications thisstandard affects, efficient monitoring andcontrol practices are critical. Commercialpatch management that addresses CIP-007requirements is available that provides a sevenday turnaround and can be a valuable solutionfor overwhelmed OT/IT resources.Compliance with NERC PRC and NERC CIPrequirements would benefit from some form ofautomation to offload burdens from personnelwho already have heavy workloads. The optimalscenario is central management from an integratedplatform of software systems that can track datafrom front-end testing and maintenance activitiesto protection system engineering to back-endcompliance and cyber security processes.Ultimately, PRC requirements come down toassurance that protection systems will operateas intended to maintain reliable power deliveryon the BES. NERC mandates that utilitiesTURNING THE CORNER ON CYBER-SECURE PROTECTION TESTINGNETAWORLD 9
FEATUREensure their relay settings are reviewed and thatthey are properly coordinated across the grid.Protection engineers must demonstrateconsistency and thoroughness in all aspectsof the settings development and deploymentprocess. Personnel who test relays must maintaincyber secure measures while entering substationsand performing work on substation networks.When they test relays — cyber assets — theyhave additional responsibilities to defend againstcyber attacks while ensuring relays are properlyset and correctly functioning.NERC CIP requirements affect PRCcompliance activities by requiring TCAs to beused by field crews. Additionally, the softwareP&C personnel need on their TCAs mustbe patched and monitored regularly, and theTCAs themselves must be tracked.An integrated management platform mustsupport the monitoring and patch managementof testing software used in the field on TCAs.It must also handle power system model dataand relay settings lifecycle changes generatedby protection engineering teams. It should offermodules for connecting P&C data to enterpriseasset management (EAM) systems, evenoffering specialized P&C work managementcomponents that augment EAM workflows. Itmust also provide straightforward, configurablereporting in all aspects for any stakeholder.The platform must be supported by a relationaldatabase that can offer structured data forlinking to external systems. Utilities workingwith a supplier to implement an automatedcentral management system have theopportunity to look at existing processes andshed inefficient or unnecessary practices.Through a consultative implementation process,utilities can harmonize different data from varioussources and for different stakeholders into amodern way of working that benefits all parties: Field crews will operate with theapplications they need and use TCAsseamlessly with test equipment and relays.10 WINTER 2021 Protection engineers will have templatesthat standardize settings developmentand will seamlessly flow settings datainto power system models for efficientcoordination studies. Compliance officers will have dashboardsand simplified reporting. OT/IT personnel will have loweradministrative burden.CONCLUSI ONEffective NERC compliance programs are thosethat enable utilities to achieve objectives. Rightnow, the benefits of substation automation andrenewables are becoming tangible, but digitalprotection systems and the effects of inverterbased generation on the BES need workers’focus to overcome these complex issues.Compounding the complications they alreadyface with inefficient compliance programoperations can prevent modernization fromhappening. Utilities that work from a culture ofNERC compliance and have the proper tools todo their jobs are in the best positions to avoidfinancial penalties from non-compliance andovercome the uncertainties of technologicaland regulatory changes over time.Bryan Gwyn, PhD, CEng, is thesenior director of solutions at DobleEngineering Company where he bringsstrategic leadership to engineering teams inprotection system and cyber security subjectareas that advance new product and serviceofferings for the global power deliverymarketplace.Sagar Singam is a cyber security engineerwith Doble Engineering Company wherehe performs consultative professional servicesin the delivery of Doble PatchAssure and Doble TCA Program cyber securitysolutions.Joe Stevenson is a product marketingmanager with Doble EngineeringCompany where he develops marketingstrategies and materials in support ofDoble protection software including DoblePowerBase , Doble Protection Suite , andDoble RTS .TURNING THE CORNER ON CYBER-SECURE PROTECTION TESTING
Matters of NERC PRC and NERC CIP compliance intersect during protection system testing on substation networks. In the modern regulato ry environment, the beneits of computer-based relaying are challenged by the costs of cyber security and disrupted or insuicient relay testing practices. he way forward demands interconnected data and the ability
