NERC: The Key to North America’s Electrical Infrastructure

The acronym NERC has undergone numerous changes over the years. It began 1968 as the National Electric Reliability Council, and has since morphed several times. Today, it is known as the North American Electric Reliability Corporation.

NERC is the watchdog organization that develops and improves the reliability standards, monitors and enforces compliance, provides education and leadership to the industry, and issues penalties for violations or nonconformance. NERC serves the contiguous United States, Canada, and the northern part of Baja Mexico. It is an independent, nonprofit, self-regulatory organization that also has been designated as the Electric Reliability Organization (ERO) in the United States. NERC’s membership of operators and owners numbers over 1,900, and they serve more than 334 million people.

The History of NERC

NERC was formed in the late 1960s as a voluntary organization with the goal of ensuring reliability in bulk power generation and delivery for the United States. In 1981, the name changed from “National” to “North American” to recognize interconnectivity and agreements with Canada and part of Baja California.

As a consequence of the 2003 Northeast blackout, which left over 50 million people in the dark, the United States enacted the Energy Policy Act of 2005. As part of the law, the United States designated NERC as the nation’s ERO. NERC operates the Electricity Information Sharing and Analysis Center (ES-ISAC).

Today, under NERC, there are four areas of interconnection and seven Regional Entities (RE) that monitor, register, and certify members:

• Interconnections

  • Eastern Interconnection

  • Western Interconnection

  • Quebec Interconnection

  • Texas Interconnection

• Regional Entities

  • Florida Reliability Coordinating Council (FRCC)

  • Midwest Reliability Organization (MRO)

  • Northeast Power Coordinating Council (NPCC)

  • ReliabilityFirst (ReliabilityFirst)

  • SERC Reliability Corporation (SERC)

  • Texas Reliability Entity (Texas RE)

  • Western Electricity Coordinating Council (WECC)

As with all regulations, NERC’s reliability standards are built around a guiding principle. NERC has defined this as its four pillars for continued success. In the words of NERC, they are:

1. Reliability: To address events and identifiable risks, thereby improving the reliability of the bulk power system

2. Assurance: To provide assurance to the public, industry, and government for the reliable performance of the bulk power system

3. Learning: To promote learning and continuous improvement of operations and adapt to lessons learned for improvement of bulk power system reliability

4. Risk-Based Approach: To focus attention, resources, and actions on issues most important to bulk power system reliability

These four pillars support NERC’s stated strategic goals in the following areas:

• Standards and Compliance: Develop clear, reasonable, and technically sound mandatory reliability standards in a timely and efficient manner.

• Risks to Reliability: Be a strong enforcement authority that is independent, objective, fair, and without conflict of interest.

Coordination and Collaboration: Promote a culture of compliance with mandatory reliability standards across the industry.

Since 2010, NERC has focused on results-based standards. NERC describes these standards as actions that look at what is accomplished rather than how it is done. NERC also considers each standard a “defense-in-depth strategy that works to prevent harm."

NERC enforces approximately 100 standards across 14 different disciplines. Enacting and following requirements, as well as proving compliance with these standards, require a team of people. The standards cover many business functions, such as facility planning, emergency preparedness, voltage and balancing, and interconnectivity. The standards include elements for communication, personnel, training, and physical and cybersecurity.

NERC monitors these standards for compliance and enforcement through the above-mentioned REs. The REs also approve mitigation plans and assess penalties for noncompliance.

The ERO updates the Reliability Standards Development Plan (RSDP) to provide the current status of standards projects and future work. The RSDP is the primary tool used in the development of reliability standards.

Any organization associated with electrical generation, transmission, and interconnection of the bulk power system in the United States, Canada, and part of Mexico is subject to NERC standards. NERC states, “All bulk power system owners, operators, and users must comply with NERC-approved Reliability Standards." As a condition of doing business in the electricity sector, organizations must register with the appropriate RE.

Compliance under NERC is authorized by the Federal Energy Regulatory Commission (FERC) through the Federal Power Act. As such, NERC measures compliance activities by monitoring, registering, and certifying organizations that power North America. Noncompliance or violations are subject to penalties based on severity and duration. Specialized, high-level reliability functions demand additional certifications, which are completed through the appropriate REs. When an organization is in violation of standards, REs assess penalties and monitor approved mitigation plans for compliance.

NERC standards serve the express purpose of providing guidance and assuring reliability in the generation and delivery of bulk electrical services. The 1,900-plus operators are subject to the same standards, which ensure that best practices are communicated and followed equally by all.

A common goal is to engage behaviors and systems for reliability in the generation, delivery, and operations across interconnected areas and international borders. Although compliance with NERC standards does not mean critical infrastructure is 100 percent risk-free, it does mitigate disturbances to electrical service delivery. Since generation and delivery of bulk electricity is recognized as a critical infrastructure activity, NERC has standards in place that prevent and mitigate harm in the event of disturbances to the systems.

The ERO Enterprise (composed of NERC and eight Regional Entities) Compliance Monitoring and Enforcement Program (CMEP) releases an annual implementation plan. This plan provides guidance for successful compliance monitoring and enforcement. The annual implementation plan includes risk elements, which help prioritize compliance efforts. The current risk elements include the following:

1. Critical infrastructure protection

2. Extreme physical events

3. Maintenance and management of BPS assets

4. Monitoring and situational awareness

5. Protection system failures

6. Event response/recovery

7. Planning and system analysis

8. Human performance

For registered organizations, NERC conducts audits every six years. For those with certifications, audits occur every three years. The Regional Entities provide templates and worksheets that outline the required audit information. The worksheets are called Reliability Standard Audit Worksheets (RSAW). Third-party vendors may supply services that support many elements of NERC compliance activities, such as those for self-certification. Additionally, they can assist in finding gaps in processes, provide mock audits, test against compliance, create policy, and provide management guidance. They can also do maintenance reviews, provide mitigation planning, and deliver personnel training.

NERC compliance and certification consist of the following activities:

• Organization registration

• Organization certification

• Compliance investigations

• Complaints

The Complexities of NERC Compliance

The bulk electricity infrastructure in North America is a complex, interconnected, and international endeavor. As such, NERC works with and across governmental boundaries and agencies to foster cooperation, impose standards, monitor activities, and levy appropriate penalties.

NERC acknowledges that not all incidents can be prevented, even with the best standards and practices in place. However, by having a set of standards that are fairly and consistently enforced, NERC can greatly reduce the number of incidents. NERC standards take into account the benefits of quick response and recovery as part of their structure. When an incident does occur, it is quickly addressed and remedied.

All organizations under NERC are required to register with their Regional Entity (RE). In addition, certifications under NERC’s Organizational Certification Program are required for functions and areas where standards for reliability performance are deemed crucial. These are identified as reliability coordinators (RCs), transmission operators (TOPs), and balancing authorities (BAs). Operators have nine months to complete the application process before they can begin operations.

Among the numerous NERC standards, few get as much attention as those for Critical Infrastructure Protection (CIP). The U.S. Department of Homeland Security (DHS) defines critical infrastructure as the essential activities that support national security, the economy, and the overall welfare of citizens. The Critical Infrastructure Protection Act applies criminal penalties for anyone who willingly trespasses on critical infrastructure property.

DHS recognizes 16 areas of critical infrastructures, which include defense, the health sector, water, agriculture/food, dams, emergency services, and financial systems. Among them, the energy sector and bulk power system grids are of great importance since most other critical infrastructures depend upon electricity to maintain viability.

Version 5 of NERC-CIP has 14 standards, 11 of which are subject to enforcement. The standards cover both cybersecurity and physical infrastructure security. Updated regularly, the 11 current, enforceable standards are as follows:

1. CIP-002: BES Cyber System Categorization

2. CIP-003: Security Management Controls

3. CIP-004: Personnel and Training

4. CIP-005: Electronic Security Perimeter(s) (ESP)

5. CIP-006: Physical Security Perimeter (PSP) of BES Cyber Systems

6. CIP-007: Systems Security Management

7. CIP-008: Incident Reporting and Response Planning

8. CIP-009: Recovery Plans for BES Cyber Systems

9. CIP-010: Configuration Change Management and Vulnerability

10. CIP-011: Information Protection

11. CIP-014: Physical Security

This research examining critical infrastructure protection experiences, systems, and applications by Jose M. Yusa, Gabriel J. Correa, and Roberto Lacal-Arantegui was published in 2011. It is still heavily cited as a resource discussing methodologies and applications on critical infrastructure protection.

The Framework for Improving Critical Infrastructure Cybersecurity

The Cybersecurity Enhancement Act of 2014 (CEA) calls upon the National Institute of Standards and Technology (NIST) to identify elements and develop a framework for use by critical infrastructure owners and operators, including those in the electricity sector. Use of the framework is voluntary, but for those who adopt it, it establishes a common language and organizational structure with a focus on flexible, repeatable, performance-based and cost-effective strategies.

The framework itself does not add regulatory requirements. Instead, it is a living document that can be used by any organization that manages cybersecurity risk. The framework is composed of the Framework Core, Implementation Tiers, and Framework Profiles. The framework, however, is not constructed just for critical infrastructures. It can be adopted by any company or enterprise that is at cyber risk. The framework aims to do the following:

• Identify: Develop an understanding within the organization for managing cybersecurity risk to internal systems, personnel, assets, data, and capabilities.

• Protect: Develop and implement necessary safeguards to reliably deliver critical services.

• Detect: Develop and implement activities that flag and identify a cybersecurity event as it occurs.

• Respond: Develop and implement activities that trigger actions for specific detected cybersecurity incidents.

• Recover: Develop and implement activities to manage plans for resilience and to bring back any capabilities or services that were affected by a cybersecurity incident.

These five elements can be correlated to the NERC-CIP mandates for security of cyber infrastructures through plans and process that protect, deter, prevent, limit, and recover when faced with cyberthreats or physical infrastructure threats.

Organizations of all levels have discussed cybersecurity for critical infrastructure for years. In 2010, a proposed security SCADA framework, encompassing real-time monitoring, anomaly detection, impact analysis, and mitigation strategies, appeared in this publication.

Cybersecurity has become such a hot topic that test beds, such as the one at the Mississippi State University SCADA Security Lab, have been created to research cybervulnerability of multiple critical infrastructure protection industries, including electricity.

The Critical Infrastructure Protection Committee (CIPC)

NERC formed the Critical Infrastructure Protection Committee (CIPC) to act as an advisory panel to its Board of Trustees, CIPC subcommittees, and the Electricity Information Sharing and Analysis Center (E-ISAC). This committee, along with its partners, develops and revises CIP standards. The CIPC is also responsible for communicating standards and providing education through forums and workshops related to CIP.

The CIPC invites members to actively debate and share views as the group forms and revises standards. Members work closely to integrate and coordinate with the three governments and their agencies. The group’s executive committee (CIPCEC) works with numerous subcommittees to oversee the areas of operational security and policies. Subcommittees are composed of working groups and task forces on operations that support security areas, including physical and cybersecurity.

The CIP subcommittees include the following:

• Physical Security (PSS)

  •    Protecting Sensitive Information Guideline Task Force (PSIGTF)

  •    Physical Security Guideline Task Force (PSGTF)

  •    Security Training Working Group (STWG)

  •    Physical Security Working Group (PSWG)

• Cybersecurity (CSS)

  •   Control Systems Security Working Group (CSSWG) 

  •   Cyber Attack Tree Task Force (CATTF)

  •   Cyber Security Analysis Working Group (CSAWG)

• Operating Security (OSS)

  •  Electricity Sector Information Sharing Task Force (ESISTF)

  •  HILF Implementation Task Force (HITF)

  •  Grid Exercise Working Group (GEWG)

  •  Business Continuity Guideline Task Force (BCGTF)

• Security Policy (SPS)

  •   Bulk Electric System Security Metrics Working Group (BESSMWG)

  •   Personnel Security Clearances Task Force (PSCTF)

  •   Compliance Enforcement and Input Working Group (CEIWG)

  •   Physical Security Standard Working Group (PSSWG)

Additional boards, programs, and organizations have formed to influence, manage, regulate, and promote the reliability of the North American power system. NERC is involved in the coordination and management, and in some cases, it participate in these entities. These include the following:

• North American Standards Board (NAESB): Members and staff of NERC actively participate and coordinate with NAESB.

• Cybersecurity Risk Information Sharing Program (CRISP): A NERC program that is managed by E-ISAC.

• Compliance and Certification Committee (CCC): A NERC board-appointed committee that reports to the NERC board.

Our world depends on the reliable delivery of electricity to manage even the simplest parts of our day. The systems in place in North America, invisible to the millions of users, boast 211,000 miles of high-voltage transmission lines and over $1 trillion worth of assets. It connects three countries and 48 states. And yet most of us experience few disruptions of service in our day-to-day lives. Even during inclement weather or other incidents, power outages are often measured in minutes and hours rather than days.

Today, cyberthreats are the newest menace to the reliable delivery of service. Regardless of weather, personnel training, or cyberthreats, it takes planning, oversight, coordination, and standards to keep electricity flowing to the over 300 million users across North America. The work and regulatory oversight of NERC provides the protections needed for this critical infrastructure. Unsung and rarely thought about or appreciated, it’s their job to make sure that the next time you flip that switch, the lights will turn on.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.