The April 21, 2017, San Francisco outage should raise red flags at DOE, FERC and NERC about how they classify Critical Infrastructure and Key Resources (CIKR) and Bulk Electric System (BES) assets beyond voltage bright-lines and KVA classification. This outage emphatically points out that system reliability, the definition ofkey facilities, and economic impact should be considered during CIKR classification. The outage also demonstrates the limitations of several key NERC reliability and cyber security standards.
The first issue regards the NERC practice of providing exceptions for defining a transmission asset - http://www.nerc.com/pa/RAPA/BES%20DL/BES%20Exception%20Evaluation%20Guideline%202-4-14%20REMG%20App.pdf . Note that exceptions E1 and E3 can be used to exclude substations over 100KV from being defined as transmission thus relieving their owners from having to meet transmission-level requirements for these substations. Whether the Larkin Street substation has been defined as transmission or distribution should be of great interest to FERC and California PUC when they conduct their fact finding of the outage. But keep in mind that the Larkin Street substation is the largest load block in PG&E’s service territory.
Specifically, the CA ISO 2011-2012 Transmission Plan dated March 14, 2012, studied 68 contingencies in the bulk system for the Diablo Canyon Plant Interface Requirements. The study included an assessment of the consequences of the contingent loss of one load block at the Larkin Street Substation. There are several references to the CA ISO Transmission Plan that relate to PG&E, NERC, and this outage. The CA ISO Transmission Plan explicitly identifies the Larkin Street Substation as a bulk transmission asset. Therefore, the Larkin Street substation should be addressed by the NERC CIPs. The second reference is the statement that the Larkin Street Substation is the largest load block in PG&E’s service territory. Yet, by existing NERC CIP criteria, the Larkin Street Substation is only a “Low Impact” facility meaning that effectively no cyber security requirements, regardless of their importance to the national and international economy, are required. In fact, under some interpretations, the Larkin Street Substation may not even be considered a bulk transmission asset.
PG&E’s 2012 Request Window Proposals Greater Bay Area - North Transmission System Planning dated PG&E September 27, 2012 identified that a breaker failure of the Potrero 115 kV CB 102 during summer peak conditions could result in a 156% overload on the Potrero-Larkin No. 2 (AY-2) 115 kV Cable and a bus fault on Potrero 115 kV Bus Section 1D or 2D during summer peak conditions could result in an overload on the Potrero-Larkin No. 2 (AY-2) or Potrero-Mission (AX) Cables. From the 2012 PG&E report, the in-service date for these fixes are May 2017. Additionally, the CA ISO 2015-2016 Transmission Plan dated March 28, 2016, identifies numerous cases where the Larkin Street substation lines are thermally overloaded (as are many other PG&E transmission lines). Under the title “Potential Mitigation Solutions”, it states “Mitigation under investigation”.
While the root cause of the outage is being attributed to the physical failure of a breaker, the consequences of a breaker failure due to a cyber attack would have been the same. This means that the NERC CIP criteria would have not provided the regulatory coverage that might have prevented this major outage. Given that the 2015 and 2016 Ukrainian cyber attacks targeted the substation breakers, cyber attacks against substation breakers are not hypothetical.
Fortunately, PG&E has stated that the Larkin Street Substation will be undergoing a $100Million upgrade next year. The new technologies however, will introduce many new cyber systems with accompanying cyber vulnerabilities. Yet, because of the way NERC CIP rules can be applied, there is no compelling enforcement and thus, these cyber security requirements are able to be effectively ignored.