Risk Based Assessment

8/12/2019 Risk Based Assessment

1/11

www.icfi.com/energy 1

ICF White Paper on Risk Based Assessment Methodology to

Identify Critical Assets

Overview

In January 2008, the Federal Energy Regulatory Commission (FERC) approved Order 706, which madeCIP Standards 002 through 009 and the associated CIP implementation schedule mandatory. The FERCorder provided NERC with direction on how to modify certain standards and required NERC provideguidance and support to the industry on the Risk-Based Assessment Methodology (RBAM) called for inCIP-002.

This document focuses on CIP-002 since this particular standard is the basis for the CIP ReliabilityStandards because it acts as a filter, determining whether a responsible entity must comply with theremaining CIP Requirements in CIP-003-1 through CIP-009-1.

CIP-002 through CIP-009 require certain users, owners, and operators of the BES comply with specificrequirements to safeguard the protection of the Critical Cyber Assets that control or effect the reliability ofNorth Americas BES.

In accordance with the CIP implementation plan, Balancing Authorities (BA), Transmission Operators(TOP), and Reliability Coordinators (RC) that were required to self certify compliance to NERCs Urgent

Action Cyber Security Standard 1200 (UA 1200) should have been Auditably Compliant in the secondquarter of 2009. Most other responsible entities must be Compliant by December 31, 2009 and AuditablyCompliant by December 31, 2010. All entities will have to self certify their compliance with the CIP

standards twice per year.

NERC Criticality Evaluation Guideline for Transmission, Generation Resources,

Control Centers and Special Systems

The NERC Critical Infrastructure Protection Committee (CIPC) has worked extensively to put together aguideline to help registered entities devise a proper methodology for identifying their Critical Assets (CA)and Critical Cyber Assets (CCA).

As a result, the CIPC formed the Security Guidelines Working Group (SGWG) with the responsibility toreview the existing and new CIPC initiated security guidelines and coordinate their development withelectric industry personnel and committees.

SGWG developed the first Guideline for Identifying Critical Assets in 2008. In 2009, SGWG developedtwo new guidelines. The first is a revised guideline for identifying the Critical Assets and the second is foridentifying the Critical Cyber Assets.

In September of 2009, CIPC approved the new guideline for Critical Asset Identification. This guidelinespecifically relates to Requirement 1 (R1) of CIP-002. The SGWG developed guideline for Critical Cyber

Asset Identificationis also on track for CIPC review and approval later this year.

CIP-002 requires each responsible entity to develop a Risk Based Assessment Methodology (RBAM) touse in identifying its Critical Assets (R1) and develop a list of CA(s) such as facilities, systems andequipment (even if such list is null) based on an annual application of the RBA (R2 and R4). Furthermore,
http://www.nerc.com/docs/cip/sgwg/Critical_Asset_ID_Final_Clean.pdfhttp://www.nerc.com/docs/cip/sgwg/Critcal%20Cyber%20Asset%20ID%20V0%20R902%20for%20CIPC%20Review.pdfhttp://www.nerc.com/docs/cip/sgwg/Critcal%20Cyber%20Asset%20ID%20V0%20R902%20for%20CIPC%20Review.pdfhttp://www.nerc.com/docs/cip/sgwg/Critcal%20Cyber%20Asset%20ID%20V0%20R902%20for%20CIPC%20Review.pdfhttp://www.nerc.com/docs/cip/sgwg/Critcal%20Cyber%20Asset%20ID%20V0%20R902%20for%20CIPC%20Review.pdfhttp://www.nerc.com/docs/cip/sgwg/Critical_Asset_ID_Final_Clean.pdf


2/11


the responsible entity must use the list of Critical Assets to develop a list of associated Critical CyberAssets that are essential to the operation of the Critical Assets (R3).

In particular, the guideline addresses some of the common concerns such as:

1. The asset types that have to be evaluated2. Evaluation guidelines for each of the asset types3. Guidelines for documentation of the assessment

This revised guideline takes a new approach with special emphasis on the definition of ALR AdequateLevel of Reliability and the use of ALR for the consideration of criticality of different asset types.

As listed in the Table 1, a system with the following six characteristic will meet the definition of ALR.

Table 1: Adequate Level of Reliability Definit ions

ALR RequirementNumber

ALR Defin it ion

1The System is controlled to stay within acceptable limits duringnormal conditions

2 The System performs acceptably after credible contingencies

3The System limits the impact and scope of instability andcascading outages when they occur

4The System's facilities are protected from unacceptable damageby operating them within Facility Ratings

5 The System's integrity can be restored promptly if lost

6

The System has the ability to supply the aggregate electric powerand energy requirements of electricity at all times, taking intoaccount scheduled and reasonably expected unscheduledoutages of system components

Source: NERC

The September 2009 CIPC guideline on Identifying Critical Assets (CA Guideline) provides four main

tables as evaluation guidance for determining the criticality of four assets types. The four asset types are

Transmission Substations, Generator Resources, Control Centers and Special Systems. In each of the

tables, the CA Guideline provides example criteria, a short description, in addition to listing of the ALR

characteristic number associated with each criterion.

Any asset whose loss or compromise could affect one or more of the six ALR characteristics represents

unacceptable consequences to BES and therefore should be considered as a Critical Asset.

The Risk Based Assessment Methodology (RBAM) is expected to include procedures and evaluation

criteria that act as a series of inputs and filters that are used in the determining the criticality of an asset.


3/11


The key factor in developing the RBAM is to identify the appropriate logic or evaluation basis that will formthe filtering criteria for each step. As part of a companys RBAM, the CA Guideline specifically discussed

utilizing engineering assessments as a part of the filtering criteria.

The CA Guideline states that, An engineering assessment or simulation provides a basis to determine

the extent to which an asset supports reliability or operability of the BES. Assessments, such as

contingency, steady state or transient load flow analysis or other relevant tools, modeling exercises and

techniques, should therefore serve as the basis for evaluation of an assets impact on the grid. The

guidance also emphasizes that the assessment consider varying load conditions and stresses the use of

steady state power flow analysis with relevant models and techniques.

Since 2007, ICF has used engineering assessments as the primary basis for determination of critical

assets for Transmission and Generation resources. The CA Guideline acts as a reinforcement of ourassessment methodology and confirms the past and future utility of these assessments as part of a

robust RBAM.

In addition, ICF utilizes FERC Order 706, NERC approved guidelines and a number of authoritative

publications such as NIST 800-53 to capture both the reliability impact and the cyber impact of the

Control Centers and Special Systems used for reliable operation and protection of the BES.

The following sections of this paper focus on the ICF methods used for determining the criticality of

Transmission and Generation assets.

Risk and Risk Based Assessments

In a traditional sense, risk can be defined as a function of the probability and the impact of an event.

Risk-Based Assessment (RBA) is an analytical method to determine the value of risk related to a

recognized threat.

Figure 1 shows the empirical dependency for different risk levels. Each color in the figure represents a

risk tolerance level based on the nature of the event under consideration.

As an example, consider the consequences of an electric power outage. Businesses and homeowners

struggle with the absence of electrical service but since in many cases restoring power takes a

substantial amount of time, the increased risk to national security during such events can be severe and

may be an even greater concern. As a result, even though the probability of such an occurrence may be

low, the associated risk could be very high.


4/11


Figure1:RiskToleranceLevels

The CA Guideline assumes that the probability of the potential for threats and vulnerabilities always exists

(i.e., the probability of occurrence = 1.0) and therefore the risk-based assessment essentially becomes an

impact analysis.

The CA Guideline states, Impacts can be intentional or unintentional, affecting not only an assets

availability but also its functional integrity. Compromise may include effects that are not immediately

apparent. Impact analysis should consider BPS operations under different conditions.

Similarly, NERC Vice President and Chief Security Officer Michael Assantes April 7, 2009 letter to the

industry states NERC is requesting that entities take a fresh, comprehensive look at their risk-based

methodology and their resulting list of CAs with a broader perspective on the potential consequences to

the entire interconnected system of not only the loss of assets that they own or control, but also the

potential misuse of those assets by intelligent threat actors.

Both these statements indicate that the RBAMs used by the Responsible Entities should be devised to

identify the CA and their associated CCA and safeguarded in such way to support and enable the BES to

withstand sudden, unexpected disturbances such as short circuits and unanticipated loss of system

elements due to natural causes, in addition to withstanding disturbances caused by man-made physical

or cyber attacks of misuse, manipulation and denial of service.

Engineering assessments therefore become the essential part of the assets inclusion or exclusion

process in the critical list.


5/11


Power-flow modeling tools have long been used as the engineering assessment of choice when studyingthe operation of the asset within the interconnected system. They have been used extensively in the

Transmission Planning studies that support NERC TPL Standards. Such an analytical approach

continues to be a strong and viable contender to assess how a particular asset influences the BES and

thus determine its criticality. This approach is also in-line with the CA Guideline where engineering

assessments need to be used as the reasoning factor to apply an evaluation criterion.

For each particular facility under study, the ICF methodology considers an electrical area in its

engineering assessment/RBA large enough to include the portions of the grid that could possibly be

affected by the operation of the facility. The ability of the BES to operate reliably is assessed by

monitoring voltage levels at substations and thermal loadings of lines under normal and contingency

conditions. Typically, under normal and contingency conditions, transmission line flows are expected to

remain within the normal and short-term emergency ratings, respectively. Similarly, voltage levels areexpected to remain within specified limits.1 Violations of voltage and line limits may indicate a system

with compromised reliability.

The location, size and nature of a unit also play a very important role in determining criticality. Small units

of less that 50 MW typically tend to have minimal impact on the operation of the BES. However,

depending on the location, some of these units may be required to be online to provide VAR support or

voltage assistance.

The CA Guideline encourages the Responsible Entities not to work in isolation and to involve system

operators and planning engineers in the development of their Risk Based Methodologies. Entities are also

asked to seek cooperation from Reliability Coordinators, Balancing Authorities or other BES asset

owners, if needed. This cooperation could also result in additional reasonable basis for filtering criteriawhich may include authoritative studies such as Transmission Planning studies, other NERC documents

and System Operators bulletins which establish lesson learned based on past experience.

ICF is an authorized recipient of Critical Energy Infrastructure Information (CEII) and regularly receives

the generation and transmission system representation in the form of power flow cases from FERC2.

These system representations are used in the engineering assessments that determine the criticality of

assets. This is consistent with the NERC requirement to integrate a wide-area view to the RBA as

opposed to a narrow focus on just the asset under consideration.

Michael Assantes April 7, 2009 letter to the industry also states that the Impact analysis should consider

BPS operations under different conditions which indicates that the engineering assessment should be

robust and address varying conditions. These modeling related issues are discussed in the next section.

Addi tional Issues to Consider

Under heavy loading conditions, typically occurring in summer in most parts of the US, there is a tight

balance between demand and supply. In certain areas, low-voltage problems surface under light load

1For example, substation voltages may be required to remain within 5% of the nominal value under normal conditions and within

10% under contingency conditions.2FERC Form 715


6/11


conditions as well. These problems are related to frequency swings and the ACE (Area Control Error)running high.

Since other factors may vary during the operation of the system, additional scenarios may need to be

examined as part of the RBA. Some additional issues that should be considered are:

The methodology for re-dispatch of generation after the simulated outage of the test facility:

While in some areas, there are market-based approaches to deal with loss of a generation unit,

there are certain areas where it is completely done on a cost basis. Due concern has to be

applied to the way in which generation units are dispatched in the area under different scenarios.

Load forecasts errors: In some markets the actual demand may consistently exceed the forecast.

The effect of uncertainty in the load forecast should be incorporated in the modeling framework

while testing the criticality of generation assets.

Interchange with neighboring areas: As a rule of thumb, there are scheduled net interchanges,

but they could vary under emergency conditions. The framework for power flow modeling should

account for varying interchange levels to test the impact of the loss of the test facility under

different interchange conditions.

The CA Guideline calls for impact analysis that considers BPS operations under different conditions

similar to those detailed above. ICF has historically used rigorous power-flow modeling under varying

load conditions to accurately identify critical assets. As part of the CEII that ICF receives from FERC, the

power-flow models are constantly updated to accurately reflect grid conditions.


7/11


ICF Risk Based Assessment Methodology and Engineering Assessment Flow

Charts

The ICF RBAM is presented as a series of process models. This section details the various stages of the

methodology as a series of steps to determine if Critical Assets exist. Figure 2 is the pictorial presentation

of the overall methodology per asset type. In accordance with the CA Guideline, Figure 3 demonstrates

the ICF unit test used to determine an assets criticality and serves as the reasonable basis for that assets

inclusion or exclusion to the critical list.

ICF uses the GE Positive Sequence Load Flow (GE-PSLFTM

) model for performing Risk Based

Assessments. PSLF is ideal for simulating the loss of generation or transmission resources from the

power system and the model provides comprehensive and accurate load flow, dynamic simulation, short

circuit analysis, contingency analysis and system fault studies.


8/11


ICFs unit outage test is a steady-state, flow-based contingency modeling exercise where line loadings

under normal and contingency conditions for both the reference case and test case (with the unit

outaged) are compared. In the case of generation resources, the facility becomes the test asset and for

transmission resources, the substation is considered as the test asset. The results of the study are usedto determine if the loss of the unit creates additional overloads in the transmission system. As an

example, if there are new overloads created when the unit is taken out of service that exceed 110% of the

short-term emergency rating, this could indicate that the loss of the unit creates a substantial impact on

the BES.

ICF also investigates the possibility of mitigation of these variations by changing the power output level of

generators in the system by re-dispatch. If such mitigation is possible, then the impact of the absence of

the facility is not expected to compromise the reliable operation of the system and therefore the asset

may not need to be considered critical.


9/11


Sample Generation Resource Criticality Power Flow Outputs

Sample results from a generation resource Risk-Based Assessment are shown in Tables 2 and 3. The

Change Case shown in each table refers to the case where the test asset under consideration is taken

out of service.

Table2:ImpactofSampleGenerationPlantonNodalVoltages,LineandTransformerContingenciesSummerPeak

MonitoredBus3 ContingentFacility BaseCasePUVoltage

ChangeCasePUVoltage Difference4

230kVSTLUCIE LineSABAL230.0toGATLIN230.0Ckt1 105.07% 105.13% 0.06%

230kVSABAL LineSABAL230.0toGATLIN230.0Ckt1 105.21% 105.27% 0.06%

230kVMIDWAY LineSABAL230.0toGATLIN230.0Ckt1 105.31% 105.37% 0.06%

230kVPEACOCK LineSABAL230.0toGATLIN230.0Ckt1 105.25% 105.31% 0.06%

230kVSTCEAST LineHOLOPAW230.0toSTCEAST230.0Ckt1 92.91% 92.85% 0.06%

230kVSTCSOU LineHOLOPAW230.0toSTCEAST230.0Ckt1 93.07% 93.01% 0.06%

230kVMYAKKA LineLAURELWD230.0toAUBURN230.0Ckt1 93.51% 93.46% 0.05%

230kVAUBURN LineLAURELWD230.0toAUBURN230.0Ckt1 93.03% 92.98% 0.05%

230kVGRANADA LineLAURELWD230.0toAUBURN230.0Ckt1 93.21% 93.17% 0.04%

230kVEMERSON LineBREVARD230.0toMALABAR230.0Ckt2 105.23% 105.26% 0.03%

500kVPOINSETT LineSABAL230.0toGATLIN230.0Ckt1 105.50% 105.53% 0.03%

230kVCORTEZ LineJOHNSON230.0toCORTEZ230.0Ckt1 93.91% 93.88% 0.03%

500kVMARTIN LineSABAL230.0toGATLIN230.0Ckt1 105.42% 105.45% 0.03%

Table3: ImpactofSampleGenerationPlantonLineLoadings,LineandTransformerContingenciesSummerPeak

MonitoredFacility5 ContingentFacility BaseCaseLoading

ChangeCase

Loading Difference6

230kVFTMEADEtoWLKWALELineCkt1 LineHINES230.0toWLKWALE230.0Ckt1 83.3% 84.9% 1.61%

230kVRINGLINGtoPOLOLineCkt1 LineLAURELWD230.0toPANACEA230.0Ckt1 80.6% 81.6% 0.92%

230kVFRTVILLEtoRINGLINGLineCkt1 LineRINGLING230.0toPOLO230.0Ckt1 82.9% 83.5% 0.60%

500/230kVBRDGDUMtoBRKRIDGEXfmrCkt1 LineCENTFLA500.0toCRYSTRV500.0Ckt1 89.8% 90.3% 0.55%

500/230kVCENTDM2toCENTFLAXfmrCkt1 LineCENTFLA500.0toCENTDUM500.0Ckt1 121.1% 121.6% 0.42%

230kVFRTVILLEtoPROCTORLineCkt1 LineLAURELWD230.0toRINGLING230.0Ckt2 83.3% 83.8% 0.42%

500/230kVCENTDUMtoCENTFLAXfmrCkt1 LineCENTFLA500.0toCENTDM2500.0Ckt1 115.7% 116.1% 0.40%

230kVMANATEEtoRINGLINGLineCkt3 LineJOHNSON230.0toRYE230.0Ckt1 89.9% 90.2% 0.32%

230kVCRPLANTtoHOLDERLineCkt1 LineCRPLANT230.0toHOLDER230.0Ckt2 81.6% 81.9% 0.31%

230kVCRPLANTtoHOLDERLineCkt2 LineCRPLANT230.0toHOLDER230.0Ckt1 81.6% 81.9% 0.31%

230kVMANATEEtoRYELineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 91.9% 92.2% 0.31%

230kVJOHNSONtoRYELineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 88.9% 89.2% 0.31%

230kVPARRISHtoBUFFALO_CRKLineCkt1 LineMANATEE230.0toRINGLING230.0Ckt3 82.3% 82.6% 0.30%

3The table shows the contingency causing the greatest difference in voltage from the Base Case to the Change Case for each

monitored bus.4Differences greater than 0.02% are shown.

5The table shows the contingency causing the greatest difference in loading from the Base Case to the Change Case for each

monitored element.6Differences greater than 0.1% are shown.


10/11


Dynamic Studies for Frequency Response and Criticality

The NERC guideline for assessment of criticality of transmission and generation resources suggests the

use of engineering analysis to study the frequency response of the loss of the asset and possible stability

issues. This can be accomplished using a dynamic analysis of the power system. The dynamic power-

flow analysis is an engineering study that can be used to determine the impact of an outside party, like an

intruder, controlling generation or transmission assets. This kind of an analysis would typically be required

for assets that are located in a load pocket or in a major interface point of the transmission system that is

frequently congested.

In the dynamic analysis, the time-domain response of the power system for a specified set of conditions,

which could include the loss of the test generation or transmission asset or possible misuse of assets,

would be studied for a specified time-frame. Typically, the frequency and voltage in the system are thebest indicators of system conditions over time and any abnormalities on these parameters would indicate

other potential issues.

Figure 4 is a dynamic plot that shows the time variation of several parameters like frequency, bus

voltages, and generator angles as an example to illustrate the nature of such analyses. In this example,

the variation of these system parameters for a disturbance on the transmission network is shown. This

type of dynamic study is also consistent with recent industry discussion regarding the potential use and

misuse of the generation assets.

Figure4:SampleDynamicPlotshowingthevariationofSystemVoltage(Blueline)andothersignificantpowersystemparametersforasystemdisturbanceattimet=1second


11/11


Conclusion

The CA Guideline has been issued to provide the industry with new direction to comply with the Critical

Infrastructure Protection Standards and in the identification of Critical Assets. Compliance starts with the

development and application of a Risk Based Assessment Methodology to determine if Critical Assets

exist. Engineering assessments that analyze the impact of an asset under varying conditions should

serve as the reasonable basis for the determining the extent to which an assets supports the reliable

operation of the Bulk Electric System.

Ensuring BES reliability and protecting the nations power grid infrastructure from any potential

(intentional or unintentional) physical and cyber attack is one of the top priorities of the government and a

number of regulatory agencies.

Similar to any other mandatory policy or provisions, the NERC CIP standards will continue to evolve over

the next few years. The recent Concept Paper: "Categorizing Cyber Systems, An Approach Based on

BES Reliability Functions"is a clear indication of the changes to come.

NERC recognizes that to meet the intent of the CIP standards utilities need to take additional steps that

require time, money and often special expertise. As a result NERC has worked with the industry and

submitted to the Commission a set of parameters for Technical Feasibility Exceptions (TFE). The TFE

allows a Responsible Entity to obtain a written approval from the appropriate regulatory body to achieve a

comparable level of security to the particular requirement(s) at issue while working on a remediation plan

and timeline to eliminate the exception.

The implications of a compromised system can result in severe consequences. National security

implications and the social costs of an outage are certainly far reaching but a companys reputation and

financial standing are also at stake in consideration of FERCs maximum penalty of up to 1 million dollar

per day, per event. For many reasons, the power industry must continue to take the steps needed to

implement cyber security measures to safeguard its assets and operations.

ICF continues to support the Electric Power Industry in various areas of NERC Standards Compliance,

Transmission Modeling and Cyber Security.

For more information, contact:

o Jimmy Glotfelty 713-445-2002,[email protected]

o Farzaneh Tafreshi 703- 934-3447, [email protected]

o Ken Collison - 703-934-3806, [email protected]

o Kiran Kumaraswamy - 703-934-3623, [email protected]

This report was prepared by ICF Resources, LLC ("ICF").COPYRIGHT 2009 ICF Resources, LLC All rights reserved.
http://www.nerc.com/docs/standards/sar/Concept_Paper_Categorizing_Cyber_Systems_2009July21.pdfhttp://www.nerc.com/docs/standards/sar/Concept_Paper_Categorizing_Cyber_Systems_2009July21.pdfmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.nerc.com/docs/standards/sar/Concept_Paper_Categorizing_Cyber_Systems_2009July21.pdfhttp://www.nerc.com/docs/standards/sar/Concept_Paper_Categorizing_Cyber_Systems_2009July21.pdf

Documents

Risk Based Assessment