This comment form is no longer interactive because the comment period is closed.

2016-02 Modifications to CIP Standards | Transmission Owner Control Center Performing Transmission Operator Obligations

Description:

Start Date: 03/14/2017
End Date: 04/11/2017

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Injecting the concept of "capability" vs. "authority" will create confusion and, potentially, inconsistent application of Standards. Specifically, there are no criteria for how to determine if a Standard applies to an entity not included in the "Applicability" section of the Standard. Rather than go though the undefined, unclear exercise of determining whether a Registered Entity has the "capability" of performing activities assigned to another type of Registered Entity, NERC should revise the "Applicability" section of the Standards to ensure they apply to all relevant Registered Entities.

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA agrees with the assertions.  BPA believes that risk to the BES is based on what an entity can do, not what an entity is registered to do.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 1 - 0

The NSRF agrees with SDT’s assertions regarding capability versus authority.  We belive the TO’s Control Center, that has the ability to to perform switching operations or other functions as directed by a TOP, will posses the capability to be misused by an authorized party to adversaly impact the BES, and must be designated as BES Cyber Assest. 

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 1 - 0

The assertions do not consider risk or span of control.  As described in NERC’s proposed beta criteria, Control Centers may not all pose the same level of risk to the BES.  In terms of risk to the reliable operation of the BES, the capability to control a single 115KV breaker is considerably different than the ability to control several substations, some of which could cause cascading outages if misoperated.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

While the word “obligation” in the phrase “perform the functional obligation of” relates to the authority, the purpose of the CIP standards is to require Cyber Security based on risk.  This risk is determined by that capability of the equipment and not the authority of the entity.  Further, the original intent was not effectively communicated on its implications of registration.  Many industry members did not understand that the intent was based upon a functional capability.  Many were under the belief that applicability was strictly based upon the registration of the entity. 

 

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP supports the comments posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

PPL agrees with the SDT that it is the capability, not registration, that should drive whether the BES Cyber Systems are required to be protected.  Any BES Cyber System that could be used to harm reliability by a malicious actor must be protected, regardless of the registration status of those who actually perform the TOP reliability functions.  The current CIP-002-5.1a determination of risk level or impact classification correctly assigns the level of protection needed for different capabilities of Control Centers.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC agrees the capability of a given BES Facility and its associated BCS provides a better representation of the risk to reliability of the BES than does the authority to act, whether or not such authority is unilateral or under direction of the TOP. 

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 0 - 0

OPG agrees with the assertions outlined in the TOCC White Paper regarding capability versus authority. If the TO’s control center has the capability to reduce the reliability of the BES, an unauthorized party may be able to get in if appropriate controls are not put into place. The distinction of capability versus authority does not matter in this case. TO is effectively TOP in terms of potential impact capability for BES reliability. In this case they are performing the same function.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

Regarding the functional registration of the Transmission Owner (TO), it is true that entities may perform control actions necessary for supporting BES reliability without the official TOP registration.  However, it also true that entities exist with the TOP registration who do not perform operations necessary to maintain BES reliability. A missing element in the discussion of control is the differentiation between those control actions taken to begin and conclude maintenance operations versus actions taken to preserve and protect the reliability of the BES. For small BES networks that have minimal impact on the greater BES, the only objective is to maintain the network for local load. It may sustain an N-1 event without loss of load, but there is no contingency where BES reliability support is required other than load shedding. Although the associated Facilities are not integral for BES reliability, the owner must register as a Transmission Owner and a TOP if a contractual arrangement is not available for a second entity to assume TOP coverage. In this case, exercise of functional TOP authority is not a risk since it is only related to maintenance; any Control Center strictly associated with this type of network should be low impact.  However, the current construct of the Standard mandates medium impact.

We encourage the SDT to remove the language “performing the functional obligations of” and replace it with language that focuses on the risk posed by a Control Center first based on exercise of authority to maintain reliability, and secondarily on Facilities controlled.

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

"Capability" is the threat to the BES, not "Authority".   However, the assertions do not address the practical significance of cyber connectivity at a TOCC facility , and the diminishing return on effort by the threat actor to impact the BES from a small CC.  If the risk to the BES by a TOCC facility is deemed more than minimal, then the TO should be registered as an appropriate (selective responsibility) TOP to clear the confusion of "used to perform the functional obligation of".

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Exelon agrees that not every one of the entities in this category present the same risk to the BES.  Exelon supports determining appropriate modification to the CIP-002-5.1a criteria as discussed below to establish an impact rating for these Control Centers commensurate with risk.   

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST agrees that what matters to BES reliability is not what uses of a Cyber System are authorized, but what the Cyber System is capable of doing. Bad actors don’t ask for permission.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

AZPS agrees with the SDT’s assertion that an Entity’s capability to perform obligations of a registered function inherently creates the need to protect that Entity’s BES Cyber System(s) to prevent negative impact to the BES.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS comments.

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Texas RE agrees with the Standard Drafting Team’s (SDT) statement that “[r]egardless of how a Responsible Entity is registered, to adequately protect the BES, entities must look at not only the intended use but also the potential misuse of the BES Cyber System(s).  If a malicious actor is capable of affecting the BES in a negative manner from a given BES Cyber System, that BES Cyber System needs to be protected accordingly to prevent such actions.”  (TOCC White Paper, p. 8). 

 

This statement, particularly when read in conjunction with the FERC orders cited by the SDT, captures the inherently interconnected nature of the BES and the attendant requirements to design cyber security controls to comprehensively protect all critical assets and avoid creating vulnerable points of entry.  FERC articulated precisely this policy in FERC Order No. 761, as referenced by the SDT:  “we continue to expect comprehensive protection of all control centers and control systems …”  As noted below, the SDT should carefully consider any exceptions to the bright line Control Center requirements in light of this clearly articulated policy goal to require comprehensive protections of all controls centers and backup control centers. 

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP believes that criteria 2.12 addresses  a tier of facilities with medium impact potential that perform the functional obligations of the Transmission Operator.  TOCC are not mentioned in the criteria.  One should ask the question: “Do the Cyber Assets employed at a TOCC have the potential to operate transmission breakers?”  If so,these CA should be subject to medium impact CIP requirements currently. 

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG recommends that the drafting team evaluate the term”Control Center” with the association of term “Transmission Owner (TO).” Currently, the NERC definition for the capitalized term “Control Center” is only applicable to RCs, BAs, TOPs and GOPs. If the drafting team feels that the term “TO” should be included in the Control Center definition, we recommend that the drafting team revise the current language in the Glossary of Terms, Rules of Procedure (RoP) and any other official documentation containing this definition. However, any changes have the potential of causing confusion between the terms TO and TOP.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

While the word “obligation” in the phrase “perform the functional obligation of” relates to the authority, the purpose of the CIP standards is to require Cyber Security based on risk.  This risk is determined by that capability of the equipment and not the authority of the entity. 

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

While the word “obligation” in the phrase “perform the functional obligation of” relates to the authority, the purpose of the CIP standards is to require Cyber Security based on risk.  This risk is determined by that capability of the equipment and not the authority of the entity.

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

While we do agree with the concept that the capability of remotely controlling Facilities via routable protocol is where risk resides, we disagree with addressing registration gaps with the use of the language “used to perform the functional obligation of.” Authority to control is immaterial in the scope of protecting Bulk Electric System (BES) Cyber Systems associated with remote control, as the objective is to allow only authorized control. The same risk is present whether the operator has the authority, or must obtain authorization/direction to execute a remote control operation.  Of note, it is necessary to assure the exercise of authority is not impeded; however, for Control Centers not associated with issuing reliability directives, impact designation should be based on the Facilities it controls, not on the vague premise it is performing a functional obligation. The effort to capture all entities performing a functional obligation whether or not they carry the official NERC functional registration defeats the clear assignment of responsibility afforded with the registration process. The Standard Development Process is not equipped to fix registration gaps.

Regarding the functional registration of the Transmission Owner (TO), it is true that entities may perform control actions necessary for supporting BES reliability without the official TOP registration.  However, it is also true that entities exist with the TOP registration who do not perform operations necessary to maintain BES reliability. A missing element in the discussion of control is the differentiation between those control actions taken to begin and conclude maintenance operations versus actions taken to preserve and protect the reliability of the BES. For small BES networks that have minimal impact on the greater BES, the only objective is to maintain the network for local load. It may sustain an N-1 event without loss of load, but there is no contingency where BES reliability support is required other than load shedding. Although the associated Facilities are not integral for BES reliability, the owner must register as a Transmission Owner and a TOP if a contractual arrangement is not available for a second entity to assume TOP coverage. In this case, exercise of functional TOP authority is not a risk since it is only related to maintenance; any Control Center strictly associated with this type of network should be low impact.  However, the current construct of the Standard mandates medium impact.

We encourage the SDT to remove the language “performing the functional obligations of” and replace it with language that focuses on the risk posed by a Control Center first based on exercise of authority to maintain reliability, and secondarily on Facilities controlled. Considering the operational nature of the Reliability Coordinator (RC), the Control Center for the RC may be designated high impact based on its authority alone.  However, it is equally valid to designate the RC Control Center as high impact based on the medium and high impact Facilities it monitors, and when necessary, the reliability impact its directives will have on BES stability.  Therefore, in the impact designation for the TO and TOP where the reliability risk varies greatly, it is better to rely on an analysis of the transmission Facilities each Control Center monitors and controls, rather than the function being performed.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy fully understands the intent specifically to this section, however we disagree with the approach taken in this document, as it:

  1. blurs the lines between what it means to be a registered Transmission Owner and registered Transmission Operator,

  2. applies only to the Transmission Owner, yet the Transmision Operator may delegate certain required TOP tasks to other registered and non-registered entities not captured in this document, and

  3. approaches the problem with the initial assumption that a “control center” is being operated by an entity not required to operate a control center.

None of the NERC reliability standards applicable to the Transmission Owner require operation of the BES or maintenance of a control center.  On the other hand, entities who perform certain tasks operating the BES at the direction of a Transmission Operator may be required to operate out of a control center.  The Transmission Owner is an easy target knowing that Transmission Owners in certain RTOs are performing delegated TOP tasks, however their operation of a “control center” has nothing to do with their registration as a Transmission Owner, and everything to do with the TOP tasks that have been delegated.  

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

The TOCC White Paper correctly states that the criticality of Control Centers should be judged on the capability of the Control Center rather than its authority. Malicious actors will neither know nor care that they are not authorized to perform disruptive actions; therefore, Control Centers must be protected commensurate with their capability.  Also, the SDT should consider a definition for the term “capability” to define what it means in this context.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports NPCC’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

The assertion on capability versus authority is not really clear on the objective.   If the objective of assertion is to establish criteria such that if the TO’s CC is a conduit for control of BES equipment and the TO’s CC should be considered a BES Cyber Asset, but should not necessarily be considered the same impact level as the TOP’s, then we agree with the assertion.

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

Southern Company agrees with the general assertions outlined in the TOCC White paper regarding capability versus authority.  Southern agrees that BES Cyber System(s) associated with a TO's Control Center where the TO posesses only the capability, but not the authority, to be used do have some degree of risk.  Southern notes that this degree of risk would vary based on the situation, and emphasizes that any required protections should be based upon the actual risk level.

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI strongly believes that for the purposes of categorizing BES Cyber Systems located at Control Centers as High or Medium Impact Rating in CIP-002-5.1a and any future versions, the operating personnel at those Control Centers must have independent authority to perform the real-time reliability tasks on the Bulk Electric System (BES).  Those BES Cyber Systems located at Control Centers where the operating personnel do not have such independent authority to perform real-time reliability tasks on the BES, should be categorized as Low Impact BES Cyber Systems. 

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

ACES believes that capability is more of a delegation function and not an engineering function. As outlined on page 7 of the white paper ”To perform functional tasks or obligations, a System Operator must either be certified as a Transmission Operator or Reliability Coordinator (RC) or take direction from a NERC-certified System Operator (Transmission Operator or RC). Maintaining a NERC certification can take significant investment of time and resources, so some System Operators that control BES Transmission Systems do not maintain certification and instead rely on only operating the System when directed by a NERC Certified System Operator.” The responsibility, analysis and training goes to the TOP function. These are the risks to the BES. The current v5 requirements are sufficient to protect those transmission systems at the TOCC. Currently, TOCC’s are not required to maintain NERC Certification because the risk to the BES is sufficient to their ability to impact the BES.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation supports the statements and recognizes that the statements do not seek to alter registrations.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The SPP Review Group recommends that the drafting team evaluate the term”Control Center” with the association of term “Transmission Owner (TO).” Currently, the NERC definition for the capitalized term “Control Center” is only applicable to RCs, BAs, TOPs and GOPs. If the drafting team feels that the term “TO” should be included in the Control Center definition, we recommend the drafting team revise the current language in the Glossary of Terms, Rules of Procedure (RoP) and any other official documentation containing this definition.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE agrees with the assertions regarding capability vs authority.  The authority to operate is less relevant to security than the ability for BES elements to be operated from that location.  SCE has a concern regarding use of the term “Control Center” to describe “a place where non-NERC Certified operations personnel are located that do have the ability to carry out the functional obligations of the TOP (via voice or procedural direction only) by performing operating actions on BES equipment.”  This usage does not align well with SCE vernacular.  SCE prefers that a defined term not be used; text describing the facility (e.g., facility from which BES elements may be operated by personnel) could be implemented instead.  

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

The capability to perform TOP functions may be unique to each Responsible Entity and therefore EEI will let those entities comment individually.

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

We agree capability is representative of part of the risk that CIP-002-5.1a is trying to address, however, the Standard was not drafted with plain language to include capability.

Capability (physical control) and authority (directing operations) are both important to the operation of the BES and both are currently addressed in CIP-002-5.1a.  This assertion is not new.   As it stands today, the functional obligations (a.k.a. tasks) found on pg. 37 of NERC Reliability Functional Model –Version 5 does not pertain to a TOCC.  From page 24 of the CIP-002-5.1a Guidelines and Technical Basis; “A TO BES Cyber System in a TO facility that does not perform or does not have an agreement with a TOP to perform any of these functional tasks does not meet the definition of a Control Center. However, if that BES Cyber System operates any of the facilities that meet criteria in the Medium Impact category, that BES Cyber System would be categorized as a Medium Impact BES Cyber System.”  This should cause cyber systems in TO control rooms to receive the impact rating of the Facility(ies) they physically control.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

The only proper way to respond to this question is, "maybe." Some TOs performing TOP activities may present risks to the BES sufficient to designate the BCSs at their Control Centers "high" or "medium" (Importantly, the CIP Standards, as written, do not "designate" Control Centers as "high" or "medium." The CIP Standards apply to high or medium impact BES Cyber Systems at a Control Center. Using language such as "high" or "medium" impact Control Centers muddies the Standards and should be avoided.) 

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA believes the impact rating should be based on the potential risk to reliability of the BES. Not all entities have assets under their control that can negatively effect the BES. In certain cases, Control Centers should be considered low impact.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 1 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

The question does not consider risk or scope/magnitude of functional obligations.  As stated in Q1, in relation to the risk to the reliable operation of the BES, the obligation to operate a single 115KV breaker is considerably different than the obligation to operate several substations, some of which could cause cascading outages if misoperated.  Based on NERC’s  proposed beta criteria and FERC’s comments in order 761 (“Therefore, it is reasonable to approve Version 4 because it [74% of Contol Centers are high or medium impact] will ensure that more control centers are identified as Critical Assets than are identified under Version 3.”), there appears to be agreement and acceptance that some TO Control Centers will be low impact.  The potential risk presented by Transmission Owners having the capability to perform functional obligations of a Transmission operator does not in itself present a level of risk commenserate with a medium or high impact level. 

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 1 - 0

A TO Control Center can present risk to the BES based on it’s capabilities but not based on its functional obligation.  This risk should be allowed to be identified  low impact as well as high and medium.

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP supports the comments posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

Yes, any Transmission Owner that has the capability to perform the functional obligations of a Transmission Operator and affect the BES presents risk to the reliability of the BES.  While the Transmission Owner may only follow the directives given by the TOP, to the extent the Control Center is capable of being used by a bad actor to harm the BES it presents the same level of risk to the BES as if it were solely Transmission-Operator controlled, and as such should be protected in the same way.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC does not consider the impact of small TOP or TO Control Centers on the reliability of the BES to be more significant than that of small BA or GOP Control Centers that come into scope as Low impact BES Assets under IRC 3.1. Further, WECC considers cyber security protections required for smaller TO and TOP control centers should be commensurate with their potential impact on the reliability of the BES. WECC supports the development of a Section 3 Low impact Control Center category for smaller TOP entities and/or applicable TO entities who perform the functional obligation of the TOP from one or more Control Centers. Such Low impact TOP Control Centers and applicable TO control Facilities should be afforded the full protections of the CIPv5 Suite of Standards, as applicable for Low impact BES Assets.

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 1 - 0

OPG believes that all controls applicable to the TOP’s control center, as specified in the CIP V5 standards should be applied to the TO’s control center in this case. This is applicable for both TO Control Centres Primary and Backup. The CC can be rated High, Medium or Low as per the criteria in the standard.  One potential way to mitigate this issue would be to have the TOP take over the TO functions that are really TOP functions.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

Whether the TO is performing functional obligations of the TOP is strictly a registration issue which should be out of scope of any standard.  Allowance of a TO to perform maintenance operations as authorized by the TOP is not necessarily a registration gap. If transmission operations only involve low impact Facilities, it is probable that operations do not include actions to preserve BES reliability. However, TO remote control of a medium impact Facility should identify its Control Center as medium impact. Efforts by the SDT to address TO ability to perform functional obligations inappropriately assigns impact level by assuming all TOP obligations are medium impact. As stated, small TOP’s should also be provided the opportunity to assume a Low Impact based on impact to the BES.

Assignment of impact level by addressing the risk level of BES transmission assets the TO controls is a better metric.  This also extends to Control Centers of small TOP entities.

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

The fact that a TO "used to perform the functional obligation of" a TOP was not registered as a TOP in the first place, suggests that they do not pose a greater than minimal risk to the BES.   If the risk to the BES by such a TO is deemed to be more than minimal, then that TO should be registered as an appropriate (selective responsibility) TOP to clear the confusion of "used to perform the functional obligation of".

The option shown on the bottom of Page 9 of the TOCC Whitepaper could be the criteria basis of when a TOCC should be registered as a TOP. 

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Exelon’s position is that not every one of the entities in this category present the same risk to the BES.  Exelon supports determining appropriate modification to the CIP-002-5.1a criteria as discussed below to establish an impact rating for these Control Centers commensurate with risk.   

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST agrees with the view, presented in the TOCC White Paper, that it might be appropriate to designate some TOCCs as medium or high impact, but only if they meet revised criteria such as the ones presented in the white paper.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

IID believes the impact rating should be based on the potential risk to reliability of the BES.

 

 

 

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Although AZPS agrees that Entities performing functional obligations of Transmission Operators may present risk to the reliability of the BES, a general classification may not be appropriate.  Rather, classification using engineering studies, independent reviews, and reliability criteria may more accurately identify each Entity’s designation.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Texas RE supports the application of the CIP V5 Standards to Transmission Owner Control Centers.  As the SDT noted in the TOCC White Paper, FERC has expressed skepticism regarding whether particular Control Centers could be exempted from the high or medium impact designations.  Specifically, in FERC Order No. 706, FERC commented:  “The Commission recognizes that, when these matters are taken into account, it is difficult to envision a scenario in which a reliability coordinator, transmission operator or transmission owner control center or backup control center would not properly be identified as a critical asset.”  FERC reiterated this policy in FERC Order No. 761, as referenced by the SDT: “we continue to expect comprehensive protection of all control centers and control systems …”  FERC’s statements indicate that it expects all control centers to constitute critical cyber assets and that the explicit requirements associated with medium impact assets should be comprehensively applied to them.  FERC further indicates that exceptions to this policy would need to be narrowly tailored and clearly justified. 

 

Texas RE also agrees with the SDT’s important observation that Transmission Owner Control Centers are required to satisfy Control Center requirements, including the requirement to have Backup Control Centers, set forth in EOP-008.  (TOCC White Paper at 7).  In developing the CIP standards, the previous SDT fully considered this issue, as well as the FERC Orders on regarding the application of the CIP Standards to Control Centers, and elected to include Transmission Owner Control Centers within the scope of the Standards.  In doing so, the SDT considered a number of comments raising the same issues now identified in this project.  The SDT should carefully consider whether it is appropriate to reverse course at this point in time.

 

In its option to retain the current language, the SDT noted that one rationale is that the “currently approved language maintains the intent of the CIP V5 language.”  As the SDT further noted, there are a number of procedural mechanisms, including the BES Exception Process and the Risk Based Registration Process that may be better suited to addressing specific entity issues without altering the underlying intent of the CIP V5 Standards as previously considered and adopted.  Texas RE supports this approach.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP believes TOCC facilities may have Cyber Assets that can operate transmission breakers or affect situational awareness on a broad front.  TOCC that have Cyber Assets with the span of control currently associated with high impact Criteria 1.3 should be specifically addressed in that criteria.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG recommends that the drafting team develops some criteria to identify a TO Control Center capable of performing a TOP function obligation that would require a high or medium impact rating.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

A TO Control Center can present risk to the BES based on its capabilities but not based on its functional obligation.  This risk should be allowed to be identified as low impact as well as high and medium.

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

A TO Control Center can present risk to the BES based on its capabilities but not based on its functional obligation.  This risk should be allowed to be identified as low impact as well as high and medium.

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

Whether the TO is performing functional obligations of the TOP is strictly a registration issue which should be out of scope of any standard.  Allowance of a TO to perform maintenance operations as authorized by the TOP is not necessarily a registration gap. If transmission operations only involve low impact Facilities, it is probable that operations do not include actions to preserve BES reliability. However, TO remote control of a medium impact Facility should identify its Control Center as medium or high impact. Efforts by the SDT to address TO ability to perform functional obligations inappropriately assigns impact level by assuming all TOP obligations are medium impact.  Assignment of impact level by addressing the risk level of BES transmission assets the TO controls is a better metric.  This also extends to Control Centers of small TOP entities.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy does not agree that Transmission Owner associated Control Centers should be designated as medium or high impact. Transmission Owner associated Control Centers should be designated as Low Impact similar to the GOP function.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

To use a specific example, PJM registers as the RC, TOP, and BA for its entire footprint. However, PJM is not capable of directly operating a single switch or breaker. That operational responsibility is delegated to its member companies. Some of these member companies are very large, such as First Energy, Exelon, and Dominion. Failure to require these entities’ Control Centers to be protected would place the BES at extreme risk in these areas.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

Depends on the size of characteristics of the TO’s system.  Some TO systems are smaller and less critical that some TOP substations.   In addition, some TO SCADA systems which provide a conduit for control to a TOP that has the reliability responsibility are not different, no greater cyber security risks, than the TOP communication nodes / data collector which are declared low impact because they only interface with low impact assets.

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

 Southern Company does not agree that TOs that have the capability to perform the functional obligations of TOPs present risk(s) to the reliability of the BES that should be designated as either medium or high impact.  Southern Company believes that in certain instances, the risk to the BES in the case described could and should be considered low impact.  

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI strongly believes that Transmission Owner Control Centers that have the capability, but not the independent authority, to perform the functional obligations of a TOP, do not present significant risks to the reliability of the BES that necessitate their associated BES Cyber Systems to be categorized as a High or Medium Impact Rating.  Such Control Centers must receive permission or authorization from a TOP before it can perform real-time reliability tasks on the BES.  Therefore, their risk to the reliability of the BES is significantly lower than, and dependent upon, a TOP that has independent authority to authorize another Control Center to take actions on the BES.  Again, those Control Centers where the operating personnel do not have such independent authority to perform real-time reliability tasks on the BES, should be categorized as a Low Impact Rating Control Center.

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

As stated in the white paper, FERC did say that control centers should be included as a ‘Critical Asset’. That statement was before Lows Impact Criteria was created. If that definition had been there, FERC would have said that TO Control Centers should be included in CIP, as a Low Impact Facility. Adding a TOCC from the v1-3 ‘null set’ provides the additional facilities to meet FERC’s request that TOCCs be in scope.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation recommends that the impact rating should be commensurate of the risk and TOCCs may be rated as high, medium or low.  Not all Transmission Owners that have the capability to perform the functional obligations of Tansmission Operators present risks to the reliability of the BES significant enough that the TOCC should be designated medium or high impact. Impact ratings should be based on the specifics of the Control Centers, and the standard should allow for the possibility of a low impact rating.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The SPP Review Group recommends that the drafting team develops some criteria to identify a TO Control Center capable of performing a TOP function obligation that would require a high or medium impact rating.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE believes TOCCs should be designated as high or medium impact only if BES elements can be operated from said facility.  If the TO is at a facility when no BES element can be operated, then no risk exists and the TOCC should not be designed as high or medium impact.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

However, the risk will depend on the capability, which may be unique to each Responsible Entity. 

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

A TO Control Center can present risk to the BES based on its capabilities but not based on its functional obligation.  This risk should be allowed to be identified as low impact as well as high and medium.

Using the term “functional obligation” avoids the fact that this is specifically a concern about TO’s performing switching.  The implications of considering  TOs “capability to perform functional obligations” could have unforeseen consequences on TOs who perform additional tasks that are redundant to the TOP.  Systems located at TO control centers that have a physical control capability should acquire the impact rating from the Attachment 1 criteria that is driven by the assessment of the Transmission Facility(ies).  This does not have to be covered by the location of the systems but by the control aspect and being “associated with” a BES Facility. 

CIP-014 covers the physical security of the control centers and defines a “pcc” in a manner that recognizes TOs that perform switching.  The issue of physical switching as a functional obligation of the TOP has not been clearly specified by NERC.  TO control rooms may house medium impact systems that have control functionality and the CIP requirements should already apply accordingly.  If any revisions should be made, the Monitoring and Control BROS should be revised to include the TO functional registration for SCADA systems.  For example, SPS Cyber Systems may also be located at a TO control room and may have a medium impact rating which is not based on location.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

The current is not very clear around distinctions of whether an entity can perform the functional obligation of…. under direction from a High Impact Control Centre or third-party entity or whether they normally perform the functional obligations unilaterally.

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

As mentioned above, it is a slippery slope to begin having Standards apply to entities not clearly set forth in the "Applicability" section of the Standard. The better approach would be to revise the Applicability section.

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

Criterion 2.12 implies that all Control Centers should be medium or high impact. BPA’s position is that this needs to be addressed with a low impact option, based on actual impact to the BES. As part of the solution, functional obligation should be removed.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 1 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

The language ”perform the function obligation of” does not consider risk or scope/magnitude of actions and abilities of the TOCC and is subject to interpretation.  The requirement should be risk based and consider the Reliable Operation of the BES.  Please see the response to #8 for proposed language for CIP-002.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

The “Perform the functional obligations of” phrase is about authority and not capability and should be removed or replaced with both the applicable registrations and criteria for the identification of high, medium and low risk.   

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP supports the comments posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

With respect to criterion 2.12, the phrase “used to perform the functional obligation of” should be broadened to also include the capability to be used to perform such functional obligations.  We suggest the following language as shown in italics:  “Each Control Center or backup Control Center used, or capable of being used, to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H) above.”

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

This language seems to be very clear, if a TO operates BES Elements at two or more geographically dispersed locations on behalf of its TOP, whether under its direction or not, such a Facility where this operation occurs meets the definition of a Control Center and performs one or more of the functional obligations of the TOP (i. e., switching BES Elements). 

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 0 - 0

OPG considers that the wording in the white paper is acceptable and should be included in the standard.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

FEUS recommends a strict analysis of transmission Facilities controlled by a Control Center or Backup Control Center.  We support the language as proposed by the SDT in Options 1a and 1b as well as the language proposed by APPA and Utility Services. FEUS does not  support Option 2 ‘no action.’

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

“used to perform the functional obligation of” begs the question of why the TO is not registered as TOP.  The criteria shown on the bottom of Page 9 of the TOCC Whitepaper could be the basis of when a TO should be registered as a TOP.  “used to perform the functional obligation of” dimishes the intended clarity of the NERC functional model.  The functional model needs to be fixed to allow NERC functions to be cleanly mapped to the NERC standards.

Not doing so could result in future similar confusion disputes;  e.g. TP used to perform the functional obligation of PA/PC, GO used to perform the functional obligation of GOP, etc.

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

The language ”perform the function obligation of” does not consider risk or scope/magnitude of actions and abilities of the TOCC and is subject to interpretation.  The requirement should be risk-based and consider the Reliable Operation of the BES.

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Criterion 2.12 implies that all Control Centers should be medium or high impact. It needs to address a low impact option, based on actual impact to the BES. As part of the solution, functional obligation should be removed.

 

 

 

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

AZPS believes that Criterion 2.12 should provide additional clarity to specify characteristics of the obligations that would subject the Entity to the applicability of CIP-002-5.1.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

The "Perform Functional Obligation Of" crterion is clear as written.

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP suggests the following wording change to address the impact potential associated with TOCC: “…used to perform or enable the functional obligation of…”

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG would ask the drafting team to provide clarity on the functional obligation of the TOP.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

We agree that “perform functional obligation of” language requires additional guidance or clarity. We agree that the cyber risk of Transmission Owners who can open/close breakers that lack decision-making authority should be addressed.

The “Perform the functional obligations of” phrase is about authority and not capability and should be removed or replaced with both the applicable registrations and criteria for the identification of high, medium and low risk.  Suggest modifying Criteria 2.12 to include specific language for the identification of Medium Impact Control Centers which would allow for Low Impact Control Centers.

A proposed criteria 2.12 is

2.12. Each Control Center or backup Control Center not included in the High Impact Rating (H) above and operates any of the following:

  • Any transmission Facilities recognized as Medium Impact asset as identified herein.
  • Three or more Network Paths (see below) operating between 200 kV and 499 kV, and has an “aggregated weighted value” exceeding 3000 according to the table below.  The aggregate weighted value for a single Control Center is determined by summing the “weight value per Path” used in Criteria 2.5 (where Network Path replace Line) for each Network Path the Control Center operates.

Voltage Value of a Network Path: Less than 200 kV, 200 kV to 299 kV, 300 kV to 499 kV and 500 kV and above.

Weight Value per Network Path: (not applicable), 700, 1300, and (not applicable).

·         Any transmission Facilities that has been identified as part of a permanent flow gate or major transfer path.

This recommendation also includes the new term Network Path.

Definition of Network Path:

 

A collection of BES Elements forming a single transmission circuit, and bounded by two or more substations or stations. 

Non-BES lines are not included in the BES line count. 

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

We agree that “perform functional obligation of” language requires additional guidance or clarity. We agree that the cyber risk of Transmission Owners who can open/close breakers that lack decision-making authority should be addressed.

The “Perform the functional obligations of” phrase is about authority and not capability and should be removed or replaced with both the applicable registrations and criteria for the identification of high, medium and low risk.  Suggest modifying Criteria 2.12 to include specific language for the identification of Medium Impact Control Centers which would allow for Low Impact Control Centers.

A proposed criteria 2.12 is

2.12. Each Control Center or backup Control Center not included in the High Impact Rating (H) above and operates any of the following:

  • Any transmission Facilities recognized as Medium Impact asset as identified herein.
  • Three or more Network Paths (see below) operating between 200 kV and 499 kV, and has an “aggregated weighted value” exceeding 3000 according to the table below.  The aggregate weighted value for a single Control Center is determined by summing the “weight value per Path” used in Criteria 2.5 (where Network Path replace Line) for each Network Path the Control Center operates.
  • Any transmission Facilities that has been identified as part of a permanent flow gate or major transfer path.

This recommendation also includes the new term Network Path.

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

We recommend retirement of the phrase “used to perform the functional obligation of” as it attempts to correct registration gaps.  In its stead, we recommend a strict analysis of transmission Facilities controlled by a Control Center or Backup Control Center.  We support the language as proposed by Utility Services.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

With the present NERC Glossary definitions the phrase “used to perform the functional obligations of the Transmission Operator” easily translates to “used to operate or direct the operation of the transmission facilities.”

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

More clarity is needed.   The focus of the phrase “used to perform the functional obligation of” has been control of BES equipment.  The NERC definition of Transmission Operator includes the responsibility of maintaining the reliability of its “local” transmission system, and that operates or directs the operations of the transmission Facilities.   An entity being a conduit for control of the BES, but having no reliability responsibilities is not performing the functional obligation of the TOP.

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI strongly recommends that the language CIP-002-5.1a Attachment 1, criterion 2.12 should be revised with the underlined text to read as follows:  “Each Control Center or backup Control Center, whose operating personnel have independent authority to perform real-time reliability tasks on the Bulk Electric System (BES), used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above.”

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

The language should include some mention of being “performing functional obligations and tasks from a NERC Certified System Operator”. That is the level where there are the most risk to the BES. All other risks to the BES are covered in v5 for Lows Impact Facilities.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation recommends that additional clarity be provided for the following:

  • Identify specific function(s) performed by the TOCC and provide examples of operational activities or types of equipment that are at the root of why 2.12 was written

  • Identify the frequency at which the specific functions are performed

  • Replace the phrase “functional obligation” with language such as “with the ability to operate“ for entities who are not responsible for performing the functional obligation of the TOPs.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The review group would ask the drafting team to provide clarity on the functional obligation of the TOP.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

The phrase “used to perform the functional obligation of” does not address the capability of the TOCC nor does it address the risk to the BES.  The impact categorization should be based on a specific impact rating criteria and its associated risk to the BES.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

The phrase “used to perform the functional obligation of” does not consider the capability of the TOCC and its related risk the BES.  The impact categorization should be based on the risk to the BES. Please see the comments under question 8 as alternative edits to CIP-002.5.1 Attachment 1.

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

The “perform functional obligation of” language needs to be revised in the Standard. We agree that the cyber risk of Transmission Owners who can open/close breakers that lack decision-making authority should be addressed.  The “Perform the functional obligations of” phrase is about authority and not capability and should be removed or replaced with both the applicable registrations and criteria for the identification of high, medium and low risk. 

There is no actual list of “functional obligations.”  As it stands today, the functional obligations (a.k.a. tasks) are found on pg. 37 of NERC Reliability Functional Model –Version 5.  These tasks do not include switching of devices which seems to be the issue here.  When referencing “functional obligation” it also needs to be clear if the term refers to all obligations or a specific obligation

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

The existing definition does not clearly define or delineate between TOCC and Control Centres that perform responsibilities as defined in the NERC Functional Model.

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

The Control Center need not be revised if the Standard applies to the correct registered functions.

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA believes that the Control Center definition does not need to be revised. Updates to the criteria for impact ratings of low and medium should be developed.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

The NSRF believes that any revision to the definition of Control Center may have unintended consequences by expanding the scope beyound its intended purpose of addressing TOCC issue related to identification of BES Cyber System.  Therefore, addressing TOCC issue by proposing to revise CIP-002-5.1a as stated by this paper, is the correct approach.    The NSRF believes that any revision to the definition of Control Center may have unintended consequences by expanding the scope beyound its intended purpose of addressing TOCC issue related to identification of BES Cyber System.  Therefore, addressing TOCC issue by proposing to revise CIP-002-5.1a as stated by this paper, is the correct approach.   

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

The defined term Control Centers is no longer used only in select CIP standards, but also used in various O&P standards as well.  Modifying the defined toerm to accomodate this narrow issue could have significant impacts on other, non-related standards that result in a decrease in reliability.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 1 - 0

While the Control Center definition raises similar concerns in capability and authority through the phrase “…performing the reliability tasks of…”, we feel that the current definition can work with the change we’ve advocated in response to question 5.  Further, changing the definition may create problems and concerns with other requirements and standards. 

 

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP agrees with the comments posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

We suggest maintaining the standards as currently written.  Any change to the Control Center definition could create confusion with respect to existing agreements, registrations,etc.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC has multiple smaller TO entities, which are experiencing an undue compliance obligation related to resources and financial concerns with the declaration of a Medium TOCC Facility. In WECC's opinion, the protections afforded such smaller TOP and TO Control Centers should be commensuate with the risk posed to the reliability of the BES. However, WECC does not believe the definition of Control Center should be modified (see comment 5 below for additional clarification). 

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 1 - 0

In the existing Control Center definition the functional entities are called out so OPG is of the opinion that TO should also be called out.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

The definition in the NERC Glossary is sound.  The problem is trying to bring TOs (who are not registered as TOPs) into this definition.

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

The Control Center definition impacts standards other than CIP and should not be modified by the CIP SDT.

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST believes the TOCC issue can be addressed by new or modified impact rating criteria, and that the current definition of “Control Center” does not need to be revised.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Updates to the criteria for impact ratings of low and medium should be developed.

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

AZPS recommends no revisions to the definition of Control Center as it already excludes Entities that do not provide any primary function and, therefore, present minimal risk/low impact to the BES.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

The Control Center definition is clear as written.

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP believes the existing definition is concise and easy to understand.  Adding an exception clause would be cumbersome and may lead to misapplication of CIP and other requirements.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG recommends that the Control Center definition be revised to contain the TO if the drafting team chose to go this route. Additonally, NRG would recommend the drafting team review the definition of the TO in the Functional Model, RoP as well as the NERC Glossary of Terms.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

Due to the Control Center use by other Standards, we recommend the SDT not revise the Control Center definition to address the TOCC issue. The SDT is evaluating options to address the TOCC issue, as described in the TOCC White Paper. Please identify options or propose solutions your entity would support and provide rationale for your position. (See Evaluation of Potential Solutions beginning on page 9 of the TOCC White Paper for additional context and discussion.)

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

 No consensus commentsThe SDT is evaluating options to address the TOCC issue, as described in the TOCC White Paper. Please identify options or propose solutions your entity would support and provide rationale for your position. (See Evaluation of Potential Solutions beginning on page 9 of the TOCC White Paper for additional context and discussion.)

Comments:      

 

The modification of Criteria 2.12 with language that removes the “functional obligation” and includes sub-criteria for the identification of medium impact Control Centers seems the most beneficial solution and would be consistent with the other existing criteria. 

Creating an exemption process or a Low Impact justification process that would allow an entity to reclassify the impact level using engineering studies seems costly and would still require some sort of brightlines to measure the results of the studies against.

 

The “take not further action” option does not resolve either the “functional obligation” issue or the low impact determinations that NERC was attempting to address using the BETA criteria.

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

Notwithstanding our negative response, the definition is restrictive to functional registrations (RC, BA, TOP, and GOP), does not differentiate control type – maintenance and reliability related operations – under the Transmission Owner registration.  Further, the phrase “two or more locations” is unclear whether it includes two breaker locations on the same bus (one address), or two Facilities located geographically at different addresses. However, adding the TO registration can create problems with the term’s use in other standards were official NERC Registration is clearly the intent.  While we strongly recommend review of the definition considering all instances of its use, we do not recommend revision strictly for the benefit of the TOCC issue. Rather, we recommend the Transmission Owner’s  BES Cyber Systems used for remote control of transmission Facilities be addressed either in the applicability section of the Standard as implemented in PER-005-2, or Control Center as applied to the TO in the guidance documentation.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy disagrees with the proposal to revise the definition of Control Center. A TOCC should still fall under the definition of a Control Center if performing any obligation that could affect the reliability of the BES. Also, any changes to the definition of Control Center may adversely impact other Reliability Standards to which the definition currently applies.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

The present definition includes 3 parts; monitor, control and perform reliability tasks.  Any evaluation to determine if a facility is a control center, all 3 parts must be met.

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

 Revision of the Control Center definition is not the best way to address the TOCC issue.  Southern Company proposes that modification of the criteria in CIP-002-5.1a, Attachment 1 would be the more appropriate method of addressing the TOCC issue.

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

If the SDT does not accept AECI’s revisions proposed in our comments in response to the questions above, AECI recommends the following revision in underlined text to the NERC Control Center definition: “One or more facilities hosting operating personnel that monitor and have independent authority to take actions to control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.”

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

As mentioned previously, the definition should only include those facilities that required NERC Certified System Operators and Programs.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation recommends the definition of Control Center should be revised or additional guidance be given.  The current definition is silent on whether a Control Center is unmanned, periodically-manned or manned 24/7; is used for convenience only; is not critical to the operation of the BES; and/or includes the operation of non-BES facilities.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The review group recommends that the Control Center definition be revised to contain the TO if the drafting team chose to go this route. Additonally, we would recommend the drafting team review the definition of the TO in the Functional Model, RoP as well as the NERC Glossary of Terms.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE believes the Control Center definition does not require revision in order to address the TOCC issue. Additionally, changes to the definition could have a wide impact on many other Reliability Standards.  SCE prefers the TOCC issue be addressed as part of guidance section of the CIP-002-5.1a standard.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

The Control Center definition is not only already in use by the CIP Standards, but it is also being leveraged by other Reliability Standards. Any changes to this definition would have a wide impact that cannot be sufficiently assessed by the CIP SDT. Modifying CIP-002-5.1 Attachment is a more efficient and reasonable method to address the TOCC issue. 

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Due to the Control Center use by other Standards, we recommend the SDT not revise the Control Center definition to address the TOCC issue, but take some alternative steps to address the TO function.

The term Control Center should only be associated with the Functional Registered entities RC, BA, TOP and GOP.  When dealing with TOs, perhaps the term “control room” can be added and defined as: one or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform tasks under the direction of the TOP (specifically BES switching). See #3 above.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

BC Hydro does not support the NERC proposed Criterion 2.12 nor the proposed Criterion 2.12 replacement from APPA, TAPS for the following reasons:

Control rooms at Medium Impact generating stations provide a centralized location to control the entire assigned portion of the power system or can have the ability to control two or more transmission Facilities. This typically includes the generating station and the attached substation, including the associated transmission lines (138kV-500kV). As such, physical access to control rooms would enable an ill-intentioned individual the ability to affect a large portion of the power system faster than if they had to go to each device in the field individually.

Having said that, most of the additional proposed protections required for Medium Impact BES Cyber Systems at Control Centres are focused on electronic access point malicious communication detections ie. Requiring an Intrustion detection system – CIP-005-5 R1.5), event alerting/logging, and recovery plan testing independent of if there is a control room or not associated with the generating station. Once access to the Medium Impact ESP is gained, control of the attached devices is possible, irrespective of if there is a control room or not at the facility. If the risk is sufficiently high with these generating stations, these additional requirements should be included, but in a manner that isn’t tied to if there is a control center or not.

As such, adoption in its current form or as per the proposal below is NOT recommended.  

APPA and TAPS proposed Criterion 2.12 revision:

Criterion 2.12. Each Control Center or backup Control Center not included in the High Impact Rating (H) and operates any of the following:

• Three or more Network Paths (see below) operating between 200 kV and 499 kV, and has an “aggregated weighted value” exceeding 3000 according to the table below.  The aggregate weighted value for a single Control Center is determined by summing the “weight value per Path” shown in the table below for each Network Path the Control Center operates:

 

Voltage Value of a Network Path

Weight Value per Network Path

Less than 200 kV

(not applicable)

200 kV to 299 kV

700

300 kV to 499 kV

1300

500 kV and above

(not applicable)

 

• Any transmission Facilities that has been identified as part of a permanent flow gate or major transfer path.

• Any transmission Facilities integral in the execution of restoration plans as required in NERC Reliability Standards.

 

Proposed Definition of Network Path: A collection of BES Elements forming a single transmission circuit, and bounded by two or more substations or stations.  Non-BES lines are not included in the BES line count.  “Network Path control” is defined as the ability to control any interrupting device that would open the Network Path continuity.

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Injecting the concept of "capability" vs. "authority" will create confusion and, potentially, inconsistent application of Standards. Specifically, there are no criteria for how to determine if a Standard applies to an entity not included in the "Applicability" section of the Standard. Rather than go though the undefined, unclear exercise of determining whether a Registered Entity has the "capability" of performing activities assigned to another type of Registered Entity, NERC should revise the "Applicability" section of the Standards to ensure they apply to all relevant Registered Entities.

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA would support Option 1a in the white paper with a different set of criterion as shown in question 6. BPA believes that there should be a way for entities to classify a Control Center as low impact if it has minimal impact to the BES. The cost/benefit of classifying all Control Centers as medium impact or higher is not acceptable.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

The NSRF agrees with the potential solution # 1 to revise CIP-002-5.1a.  NRSF suggests that SDT considers offering both options 1a and 1b as part of the proposed solution.  With offering both options, if an entity is designated based on option 1a, however, has lower reliability impact on the BES, then, this entity will have the option to technically justify that its Control Center poses a minimal risk to the BES and be considered low impact.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

Please see the response to #8 for proposed language as an alternate solution to the TOCC issue.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

The modification of Criteria 2.12 with language that removes the “functional obligation” and includes sub-criteria for the identification of medium impact Control Centers seems the most benifical solution and would be consistent with the other existing criteria.  We propose replacing  criteria 2.12 with: 

2.12. Each Control Center or backup Control Center not included in the High Impact Rating (H) above and operates any of the following:

-     Any transmission Facilities recognized as included as Medium Impact asset as identified herein.

-     Any transmission Facilities that has been identified as part of a permanent flow gate or major transfer path.

-     Three or more Network Paths (see definition below) that:

1 - operate between 200 kV and 499 kV and

2 - have an aggregated weighted value exceeding 3000.  The aggregate weighted value for a single Control Center is determined by summing the “weight value per Network Path” according to the table used in Criteria 2.5 (where the “Network Path” replaces “Line”) for each Network Path the Control Center operates.

This recommendation also includes the new term Network Path.

Definition of Network Path:

A collection of BES Elements forming a single transmission circuit, and bounded by two or more substations or stations.  A Path may contain several non-bounding substations with one incoming and one outgoing BES lines.  Non-BES lines are not included in the BES line count.  “Network Path control” is defined as the ability to control any interrupting device that would open the Network Path continuity.

Creating an exemption process that would allow an entity to reclassify the impact level using engineering studies seems costly and would still require some sort of brightlines to measure the results of the studies against.

The “take not further action” option does not resolve either the “functional obligation” issue or the low impact determinations that NERC was attempting to address using the BETA criteria.

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP supports the proposed beta-criteria posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

PPL believes the current standards are acceptable as they relate to the protection of BES Cyber Systems at Control Centers.  PPL has several Control Centers which are protected under the CIP standards and have been since 1/1/2010.  PPL recognizes our obligations both directly as a Transmission Owner and indirectly as a PJM Member via assigned tasks via our Operating Agreement.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC supports the modification of Attachment 1: citerion 2.12 (Option 1.a) to establish a feasible set of threshold values that would allow smaller TOP and TO entities to provide protections applicable to Low impact BES Assets for their Control Centers under IRC 3.1, similar to the  exisiting Low impact category for BA and GOP Control Centers. If this path is chosen by the SDT, WECC also recommends the first bullet be amended to read,

"Two or more geographically separate (BES) Transmission Facilities operated at 200 kV or higher. "

Option 1.b is insufficiently clear in its current scope. Although the recent SDT meeting (22 March 2017) provided some criteria for Steady State Analysis studies, the application of those criteria set is still relatively unclear. Under this approach a TOP or TO may not have direct access to power flow software or sufficient data to study its system under steady state conditions, although the TO should be able to request a study from its TP. If Option 1.b is chosen by the SDT, it should define which TPL studies would provide data sufficient to demonstrate the entity meets the steady state analysis conditions and could legitimately categorize its Control Centers as Low impact under IRC 3.1.

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 0 - 0

To perform a proper analysis the criteria in option A is required. Therefore OPG support option A as stated in the white paper.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

FEUS recommends a strict analysis of transmission Facilities controlled by a Control Center or Backup Control Center.  We support the language as proposed by the SDT in Options 1a and 1b as well as the language proposed by APPA and Utility Services. FEUS does not  support Option 2 ‘no action.’

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

The fact that a TO "used to perform the functional obligation of" a TOP was not registered as a TOP in the first place, suggests that they do not pose a 'greater than minimal' risk to the BES.   If the risk to the BES by such a TO is deemed to be more than minimal, then that TO should be registered as an appropriate (selective responsibility) TOP to clear the confusion of "used to perform the functional obligation of".

The option shown on the bottom of Page 9 of the TOCC Whitepaper could be the criteria basis of when a TO should be registered as a TOP. 

The scope of the SDT may not allow them to solve this problem by addressing the registration issue, but that appears to be the correct approach to resolve this issue.

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Exelon does not support an arbitrary bright line criteria that is not supported by a corresponding technical justification. Rather, Exelon supports development of a risk-based assessment methodology to determine specific impact of each TOCC to BES reliability, similar to the approaches used in CIP-014.

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST supports the use of new and modified criteria such as those presented in the TOCC white paper.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

IID supports Option 1a

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

AZPS is supportive of the SDT’s proposed solution to revise CIP-002-5.1a to add clarity and criterion to identify Control Centers with low impact BES Cyber System(s).  However, AZPS recommends a hybrid approach of 1a and 1b where there is clear brightline criteria to identify applicable Control Centers and an option to apply for an exception with technical justification demonstrating low impact to the BES.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

As discussed above, Texas RE recommends that the SDT take no further action regarding the TOCC issue at this time.  Texas RE notes that the scope of the issue remains undefined at this point.  Further, it is unclear how either the NERC Beta criteria or an exemption process would be applied, how many entities would be affected by this process, and whether such applications would result in reliability gaps inconsistent with the intent of the CIP V5 Standards to comprehensively address cyber vulnerabilities and require a baseline level of controls at all vulnerability points. 

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP suggests to add a lower threshold to Criteria 2.12 using the proposed changes with the exception of “greater than 200 miles of transmission lines”.  And, specifically call out TOCC where needed in the criteria.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG has concerns that potential changes to CIP-002-5.1a relating to these topics could have a broader impact on topics such as radial lines and IROL derivations which could change from year to year (these impacts could potentially change a Generator Control Room into a Transmission Control Center).  These potential results could be broader impacts to the scope of the CIP-002 standard than intended by the SDT as well as unintended impacts to other standards (non-CIP).

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

The modification of Criteria 2.12 with language that removes the “functional obligation” and includes sub-criteria for the identification of medium impact Control Centers seems the most beneficial solution and would be consistent with the other existing criteria. 

 

Creating an exemption process or a Low Impact justification process that would allow an entity to reclassify the impact level using engineering studies seems costly and would still require some sort of brightlines to measure the results of the studies against.

 

The “take not further action” option does not resolve either the “functional obligation” issue or the low impact determinations that NERC was attempting to address using the BETA criteria.

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

We support the modification of Criteria 2.12, but do not believe there is justification for all of the whitepaper’s Criteria. We are not aware of technical justification for 200 miles of Transmission. The method for determining aggregate transmission does not consider the risk to the BES is dependent on the impact to the entire path and not the summation of each line making that path.

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

We have participated in the development of, and support the Utility Services response to this question.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

The section “Propose revisions to CIP-002-5.1a, Attachment 1, Criterion 2.12” provides the most clarity with the least amount of overhead of the proposed options. These criteria could also be extended to small TOPs to more accurately assign a lower risk to the smallest entities.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

Creation of appropriate low impact TOCC criteria that can be applied to determine a low impact TOP CC will offer a good solution to the industry.  This will alleviate the ambiguity of the term “functional obligation of” as it relates to TOPs and TOs.  Much of language to date focuses only on the TO being a conduit for BES equipment control by the TOP and ignores that the TOP has the reliability obligation, which the TO does not have. 

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

 Southern Company supports the solution involving revisions to CIP-002-5.1a, Attachment 1.  Southern is in favor of an approach that can be uniformly implemented and clearly understood by Registered Entities.  Southern has concern that the Low Impact Justification Process would not provide enough specificity.

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI strongly recommends that the language in CIP-002-5.1a Attachment 1, criterion 2.12 should be revised with the underlined text to read as follows:  “Each Control Center or backup Control Center, whose operating personnel have independent authority to perform real-time reliability tasks on the Bulk Electric System (BES), used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above.”

If the SDT does not accept AECI’s revisions proposed in our comments in response to the questions above, AECI recommends the following revision in underlined text to the NERC Control Center definition: “One or more facilities hosting operating personnel that monitor and have independent authority to take actions to control the Bulk Electric System (BES) in real-time to perform the reliability tasks, including their associated data centers, of: 1) a Reliability Coordinator, 2) a Balancing Authority, 3) a Transmission Operator for transmission Facilities at two or more locations, or 4) a Generator Operator for generation Facilities at two or more locations.”  Both of these options would provide the additional clarity that was requested by the V5TAG as documented in the transfer document and the Standards Authorization Request.

If the SDT does not pursue either of the options proposed above, AECI recommends that the team should establish a low impact justification process as identified in the TOCC whitepaper.  AECI asserts that a planning assessment, similar to the evaluation identified in TPL-001-4, R4 (Table 1 – Steady State & Stability Performance Extreme Events) can be used to explicitly demonstrate that the facilities under a TO Control Center’s span of control would not cause an Adverse Reliability Impact to the BES if its BES Cyber Systems were rendered unavailable, degraded, or misused.  AECI posits that this process has further engineering basis and technical justification than any of the criteria proposed in the associated TOCC whitepaper. 

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

ACES would support Option 1, modification to CIP-002-5.1a. We would suggest one additional to the critieria.

 

 Attachment 1: criterion 2.12. Each control center or backup control center not included in the high impact rating (H) above, that is used to operate any of the following:

 

• NERC Certified System Operator Program and Staff

• Two geographically separate (BES) Transmission Facilities operated at 200 kV or higher

• Transmission Facilities that have an aggregate transmission capacity greater than 1500 MVA

• A Facility that has been identified by its RC, PC, or TP as critical to the derivation of an Interconnection Reliability Operating Limit (IROL) and its associated contingencies

• Facilities operated between 100 and 200 kV that have been identified as part of a permanent flow gate or major transfer path

• BES Transmission Facilities that have a Total Transfer Capability with a neighboring Transmission Operator that is greater than 1500 MVA

• Greater than 200 line miles of Transmission Lines

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation recommends that the phrase “Facilities at two or more locations” be clarified so that non-BES facilities are not included in the definition.  Language such as “Only Bulk Electric System Facilties are to be considered when determining if a facility is a Control Center and subject to criteria under IRC 2.12” is recommended.  This concept should also be applied to other requirements concerning Control Centers. 

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE agrees with the SDT's list of qualifications (on page 9 of the TOCC White Paper) used to identify facilities.  SCE agrees with the need to have more specific criteria than currently exists for Criteria 2.12 in the current standard. However, some elements of the proposed bright line Criterion 2.12 for classifying certain TOCCs as low impact appear subjective.  For example, the 1500 MVA aggregate transmission capacity and 200 line miles of Transmission Lines, may potentially exclude  TOCC which pose significant reliability impact to the BES.

 

SCE prefers specific criteria in 1a instead of the Low Impact Justification Process proposed in 1b.  SCE supports further refinement to Criterion 2.12 as proposed by EEI or others which take into account specific criteria. SCE does not support Option 2 for the SDT to take no further action.

 

SCE also recognizes the potential need for a low impact justification process, or by a third-party reliability assessment, as discussed on page 10, may provide technical justification to the specific unique circumanstances of certain TOCCs.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Some elements of the proposed bright line Criterion 2.12 for classifying certain TOCCs as low impact seem arbitrary.  For example, the 1500 MVA aggregate transmission capacity and 200 line miles of Transmission Lines could exclude TOCCs capable of having pretty significant reliability impacts. 

The low impact justification process as discussed on page 10 is a possibility.  Low impact classification based on an independent third-party reliability assessment (similar to CIP-014 approach) may be appropriate in the unique circumstances of certain TOCCs.  However, such an individualized assessment process may be more work for NERC and the entities involved, but each decision would be case-by-case and have a valid, technical justification unique to the specific TOCC at issue. 

An alternative approach is also provided in our comments under question 8.

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

As stated above, we would propose revising the Standard, clarification of the term “functional obligation”, as well as changes to the NERC glossary.  When dealing with TOs, perhaps the term control room can be defined as: one or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in real-time to perform tasks under the direction of the TOP.  The impact rating of the BES associated cyber systems in these control rooms would be not less than the highest impact level of the Facilities they “control” as specified in CIP-002-5.1a, Attachment 1, Section 2, impact rating criteria.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA supports the following criterion 2.12 update developed by APPA and TAPS, in collaboration with industry input. Any Control Centers that do not fall under the High Impact Rating or this criterion would be classified as Low Impact.

 

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

MRO NSRF agrees with the critieria proposed by this paper to solve the TOCC issue. We support the SDT using similar criteria to beta criteria assessment proposed by the NERC compliance staff to evaluate each TO Control Center’s risk to the BES.  The beta criteria assessment consideres that not all Control Centers poses the same risk to the BES reliability and security, and therefore, should be categorized and identified based on their risk imapct.  Further, this risk impact approach proposed by this paper is aligned with the main purpose of CIP-002.5.1a impact-based categories.

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

Please see the response to #8 for proposed language as an alternate solution to the TOCC issue.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

We would support the modification of criteria 2.12 but do not believe that there is technical justification for all of the criteria included in the white paper.

  1. The methode for determining aggragate transmiision does not consider that the risk to the BES is dependent on the impact of the entire “path” and not the summation of each line making that path.

  2. There is no technical justification for the 200 line miles of transmission.

     

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP agrees with the comments posted by APPA.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

As stated in our response to Question No. 5, we support the existing standards.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC considers the proposed set of threshold values (Option 1.a) to be an accurate reflection of the risk posed to the reliability of the BES by TOP and TO Control Centers. WECC supports all six of the listed criteria (with the recommended change to the first bullet, cited above in item #5) as a reasonable set of threshold criteria to establish TOP and TO Control Centers containing Medium BCS and  agrees all TOP or TO Control Centers that do not meet one or more of these criteria should be considered Low impact BES Assets under IRC 3.1.

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 0 - 0

While OPG supports the language in the white paper it is not clear how the 200miles criterion was derived.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

FEUS agrees with the criteria with a proposed modification to the following:

“Facilities operated between 100 and 200 kV that have been identified as part of a permanent flow gate or are necessary for System Operating Limits associated with a major transfer path.”

 

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

Acknowledge that the TOCC White Paper Page 9 criteria:

• Two geographically separate (BES) Transmission Facilities operated at 200 kV or higher

• Transmission Facilities that have an aggregate transmission capacity greater than 1500 MVA

• A Facility that has been identified by its RC, PC, or TP as critical to the derivation of an Interconnection Reliability Operating Limit (IROL) and its associated contingencies

• Facilities operated between 100 and 200 kV that have been identified as part of a permanent flow gate or major transfer path

• BES Transmission Facilities that have a Total Transfer Capability with a neighboring Transmission Operator that is greater than 1500 MVA

• Greater than 200 line miles of Transmission Lines

may need to be further debated for what constitutes greater than minimal impact to the BES.

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Exelon does not support the revisions to CIP-002-5.1a, Attachment 1, Criterion 2.12 as presented in the TOCC White Paper, as no corresponding technical justification is provided. Rather, Exelon supports development of a Low Impact Justification Process as described in the TOCC White Paper.

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST agrees with all proposed criteria EXCEPT for one based on miles of transmission line(s) controlled by a TOCC (proposed value 200). N&ST does not believe transmission line mileage is a useful indicator of a TOCC’s potential impact on BES reliability.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

IID supports the following criterion 2.12 update developed by APPA and TAPS, in collaboration with industry input. Any Control Centers that do not fall under the High Impact Rating or this criterion would be classified as Low Impact.

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

AZPS is supportive of criteria development in CIP-002-5.1, Attachment 1; however, believes that 1500 MVA of facility rating is too stringent.  AZPS believes that the minimum appropriate MVA facility rating would be 3000 MVA.  Alternately, 1500 MVA peak flow or Total Transfer Capacity (TTC) can be used as the criteria.  AZPS recommends replacing the item “Transmission Facilities that have an aggregate transmission capacity greater than 1500 MVA” with the suggestions above.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Texas RE does not have comments for this question.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

Remove the 200 mile criteria.  AEP believes circuit miles of transmission lines cannot change the impact.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG supports the suggestion to amend the definition of Transmission Operator.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

We support the modification of Criteria 2.12, but do not believe there is justification for all of the whitepaper’s Criteria. We are not aware of technical justification for 200 miles of Transmission. The method for determining aggregate transmission does not consider the risk to the BES is dependent on the impact to the entire path and not the summation of each line making that path.

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

Although we support revision to Criterion 2.12, we believe the criteria developed in the White Paper lacks established technical justification.  Due to the short development time available to resolve the TOCC issue, we strongly advise utilization of established criteria contained in CIP-002-5.1a, Attachment 1.  The Utility Services proposed revision of Criterion 2.12 follows this advice, and its answer to this question is supported by this comment group.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

Will support with the modification

Two geographically separate (BES) Transmission Facilities operated at 200 kV or higher (recommended modification)

  •          Since Facilities are Transmission Lines or Transmission Transformers, there will be a potential conflict with Regional Entity interpretation of “geographically separate”.  

Recommendation - change to: Operate BES equipment at 200 kV or higher at 2 or more substations separated by one mile or greater.

Transmission Facilities that have an aggregate transmission capacity greater than 1500 MVA  (recommended modification)

  •          Lacking the qualifier “BES” Transmission Facilities
  •          Direct numerical addition of capacitor into the aggregation of 1500 Power System engineering-wise is incorrect.  
  •          There will be a potential conflict with Regional Entity interpretation of how to calculate the 1500MVA.

o   Lacks consideration of how to address tielines to neighboring TO

o   Lacks consideration of how to address jointed own facilities

o   Inappropriately penalties TO that allows interconnection of distribution substation for end-use customer reliability.  As an example a 400 MVA BES Transmission Line is tapped with distribution substation should not create Two 400 MVA BES Transmission Lines

Recommendation #1 - include the attached white paper as a means to calculate the 1500. 

Recommendation #2 – provide an alternative method of calculating the 1500, whereby the TO must select between the two methods.   Method 2 would be the total of:

o   Peak Customer load connected to the TO BES Transmission Facilities

o   BES generation (nameplate) connected to the TO BES Transmission Facilities.

o   Incremented Transfer Capability through TO’s system.

A Facility that has been identified by its RC, PC, or TP as critical to the derivation of an Interconnection Reliability Operating Limit (IROL) and its associated contingencies (OK – see response on question 8)

Facilities operated between 100 and 200 kV that have been identified as part of a permanent flow gate or major transfer path (OK – see response on question 8)

BES Transmission Facilities that have a Total Transfer Capability with a neighboring Transmission Operator that is greater than 1500 MVA (recommend deleting)

·         When consider the maximum aggregated MVA capacity of the BES Transmission Facilities being 1500, it will be impossible to achieve a Total Transfer Capability of greater than 1500.

Recommendation - deletion

 Greater than 200 line miles of Transmission Lines (recommend deleting)

·         Lacking the qualifier “BES” Transmission Facilities

·         Length of line has no bearing on the cyber security risk.

Recommendation - deletion

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

TOCC Transmission Capability Calculation.docx

- 0 - 0

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI does not support the proposed criteria that were referenced in the TOCC whitepaper.  Transmission systems vary widely in design and operating practices are significantly different throughout the Interconnections.   AECI contends that numerous variables exist and unique electrical characteristics of distinct Transmission systems throughout the Interconnections make establishing succinct criteria an impractical approach.  Furthermore, AECI contends that the criteria proposed in the associated whitepaper appear to lack technical merit and do not accurately identify a Responsible Entity’s impact on the reliable operation of the BES.  For example, the loss or misuse of 200 circuit miles of Transmission Line could have negligible impacts on the Reliability of the BES, based on a wide variety of possible Transmission system configurations.  Additionally, a simple summation of Transmission Facility capacities does not accurately measure a Responsible Entity’s potential impact on the reliable operation of the BES. 

AECI recommends that the language in CIP-002-5.1a Attachment 1, criterion 2.12 should be revised with the underlined text to read as follows:  “Each Control Center or backup Control Center, whose operating personnel have independent authority to perform real-time reliability tasks on the Bulk Electric System (BES), used to perform the functional obligations of the Transmission Operator not included in High Impact Rating (H), above.”  This revised criterion provides the additional clarity that was requested by the V5TAG as documented in the Standards Authorization Request.

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

ACES would support the criteria. Regions and auditors are currently using those process flows as guidance. An entity could still go through the NERC Exception Process for asset removal, if needed. Clearly, small cooperatives who are most at risk for potential Medium Impact Control Centers would appreciate knowing that their status level will not change over time and FERC  Commission changes.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation does not agree with the inclusion of “Facilities operated between 100 and 200 kV that have been identified as part of a permanent flow gate or major transfer path” in the impact rating criteria for medium impact.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Elements of the proposed bright line Criterion 2.12 for classifying certain TOCCs as low impact seem arbitrary, and may have unitended consequences of mis-classifying certain Control Centers.

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE agrees with the criteria in the TOCC White Paper and the need for more specific criteria than currently exists for Criteria 2.12 in the current standard.

However, some elements of the proposed bright line Criterion 2.12 for classifying certain TOCCs as low impact appear subjective.  For example, the 1500 MVA aggregate transmission capacity and 200 line miles of Transmission Lines, may potentially exclude  TOCC which pose significant reliability impact to the BES.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

Elements of the proposed bright line Criterion 2.12 for classifying certain TOCCs as low impact seem arbitrary.  In particular, the 1500 MVA aggregate transmission capacity and 200 line miles of Transmission Lines could exclude TOCCs capable of having pretty significant reliability impacts.  

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Apply the current Attachment 1 medium impact criteria (2.2, 2.4, 2.5, 2.7, 2.8, 2.9 or 2.10) to cyber systems associated with Transmission Facilities that are located in TO control rooms (this could be added as criteria 2.14 in Attachment 1).

Alternatively, we support the adoption of new criteria through the Standards development process.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

If the considerations make sense for one type of Registered Entity, they should make sense for another type of Registered Entity. 

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

BPA believes that registration should not determine risk to the BES.

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

MRO NSRF suggests that similar considerations be give to the lower risk Transmssion Operator Control Centers as proposed for the Transmission Onwer Control Centers.  We believe the functional registration does not exclusively determine the risk an entity poses to the reliability and security of BES, but rather the operational function(s) they perform or the operational ability or control they have.  We understand that the NERC compliance staff is considering futher evaluation using the proposed beta criteria assessment.  However, revision to the CIP-002-5.1a, Attachment 1, Criterion 2.12 to consider lower risk Transmssion Operator Control Centers similar to TOCC is an effective approach. This will identify impact and categorization at the front-end as part of CIP-002-5.1 assessment. 

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 1 - 0

If the ERO and a third party determines that a TOP CC only provides a minimal risk to the BES, then the CC should be low impact.  The risk evaluation should determine what level of risk a facility presents rather than an arbitrary label.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Determination of risk and the resulting impact level, should be determined in the same whay when operation and ownership both have the same capabilities.

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 3 - 0

SVP agrees with APPA's comment that the determination of risk and resulting impact level should be determined in the same way when operation and ownership both have the same capabilities.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

As stated in our response to Question No. 5, we support the existing standards.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC has multiple smaller TOP entities who are also faced with an undue financial and resource compliance obligation without significant gain to the reliability of the BES. As stated above, WECC supports the development of a Low impact Category for TOP Control Centers and for TO who perform the functional obligation of the TOP and who do not meet the criteria for Medium BCS at Control Centers as established by a modified IRC 2.12 under Option 1.a. 

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 1 - 0

OPG considers this would be in line with the NERC CIP Risk based approach for compliance.

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

There are many small TOP’s that pose little risk to the BES. The cost associated with implementing and maintaining a Medium Impact control center prohibitive and do not increase reliability or security proportionate to justify the cost. 

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

Based on the original TO "used to perform the functional obligation of" a TOP issue, it is appropriate that agreed-to inclusion criteria would apply to both TO and TOPs.

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Yes.  If the SDT decides to use criteria to classify as low impact certain TOCCs performing the functional obligations of a TOP, they should also allow TO control centers to use the same criteria.  Both control centers “perform the functional obligations of a TOP,” so there’s no reason to differentiate between them simply because one is registered as a TO and the other as a TOP.  From a reliability operations perspective, both would be equally important.  

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

N&ST believes this should be done for the sake of consistency if for no other reason.

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Registration should not determine risk to the BES.

 

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Yes, AZPS believes if a control center is classified as low risk, it should be designated as such irrespective of who operates it.

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

:  Please see Texas RE’s general comments against revising the CIP v5 Standards to create a generalized exception for certain Transmission Owner Control Centers.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

AEP believs the potential impact on transmission facilities is not substantially different.  TOCC need to be added to applicable existing criteria.

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

NRG supports the considerations proposed applicable to the lower risk TOCC afforded to the lower risk TOP Control Center(CC) . NRG asserts that the potential risks need to be applicable and fair across the board.

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

As answered in earlier questions, we support Low Impact Control Centers for Transmission Operators and Transmission Owners.

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

No further comments

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

Due to efforts to close all reliability gaps regarding transmission Facilities, the establishment of small TOP entities who have no real time reliability concerns exist.  For example, some TOP entities have only a single real time reliability action they would act on: load shedding in support of stressed BES Facilities outside the small TOP control area.   In other words, loss of the small TOP control area may help the overall stability of the BES.  Since the Transmission Service Provider may off load the small TOP system independently, the small TOP capability is low impact.  In those cases where the TOP actions do not necessitate real time response due to the trivial BES assets it controls, the central consideration is whether the BES external to the small TOP is properly protected with appropriate control by other entities. 

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Based on the function and responsibilities of the TOP, a TOP Control Center should always carry at least a Medium Impact rating.

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Entities that pose a similar risk to the BES should be treated in a similar manner.

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

The criteria used for differentiating low impact TO CC carry a similar risk profile if applied to TOP CC.   For systems meeting the low impact criteria, the risk to the BES from cyber security is no different for the TO CC operating as a control conduit versus a TOP CC that controls and is responsible for reliability

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

 If modifications are made to the criteria in CIP-002-5.1 Attachment 1, these modifications should apply to both Transmission Owner Control Centers and Transmission Operator Control Centers.  Southern Company is in favor of consistent application of any  modified criteria, regardless of registration.     

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

If the CIP standards are truly risk based then a similar set of criteria should be available to TOPs. Smaller entities that are rural should not be considered at the same risk level as a multi-regional urban TOP CC.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Reclamation recommends that the definition of Control Center be applied uniformly regardless of ownership.

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The SPP Review Group supports the considerations proposed applicable to the lower ristk TOCC afforded to the lower risk TOP Control Center(CC) . From our perspective, the potential risks need to be applicable and fair across the board.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Tacoma Power supports APPA TAPS comments

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

SCE supports considerations for lower risk Transmission Operator Control Centers. If an entity has justifiable reasoning for a lower risk then it should be considered within the Standard.  SCE believes the same criteria should be used to classify as low impact certain TOCCs “performing the functional obligations of a TOP” and TOP, should the SDT pursue applying such criteria.

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

If the SDT decides to modify the CIP-002-5.1 Attachment 1 criteria, then these modifications should apply both to the Control Centers of TOs and TOPs.  

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

BC Hydro, Segment(s) 1, 2, 3, 5, 5/6/2015

- 0 - 0

Andrew Gallo, On Behalf of: Andrew Gallo, , Segments 1, 3, 4, 5, 6

- 0 - 0

Other Answers

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

N/A

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 1/4/2017

- 0 - 0

Although “standards development should not be utilized to solve potential concern about compliance monitoring or enforcement”, it should be acceptable to use it to clarify expectations in order to ensure that the requirement is understood so that proper controls are applied.  As discussed in the White Paper, the phrase “perform the functional obligations” is not clearly understood.  As described at the beginning of the standard, the Purpose of the CIP standards is “to identify and categorize BES Cyber Systems …commensurate with the adverse impact that … those BES Cyber Systems could have on the reliable operation of the BES."  As indicated in the response to Question 2, the language “perform the functional obligations” is very broad and does not consider adverse impact to the reliable operation of the BES.  As used, “reliable operation” is not defined.  However, Reliable Operation is defined in the NERC Glossary as, “operating the elements of the [Bulk-Power System] within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system elements.”

In the spirit of the Purpose statement and NERC defined term Reliable Operation as well as providing “bright line” criteria, Dominion proposes that Sections 1.3 and 2.12 be modified as follows: 

1.3) Each Control Center identified as meeting CIP-014 R1.2 (as modified by R2.3, if applicable) and any backup Control Centers to these Contol Centers.

2.12) Each Control Center or backup Control Center that operationally controls one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10 not included in 1.3, or meets one of the following conditions:

  • A Facility that has been identified by its RC, PC, or TP as critical to the derivation of an Interconnection Reliability Operating Limit (IROL) and its associated contingencies.

  • Facilities that have been identified as part of a permanent flow gate or major transfer path.

Additionally, 2 new requirements would be required to cover gaps left by 1.3 and 2.12 only applying to TOCCs.

1.5) Each TOP Control Center not included in 1.3 and which provides operational directions to a TO Control Center meeting 1.3.

2.14) Each TOP Control Center not included in 1.3, 1.5, and 2.12 which provides operational directions to a TO Control Center meeting 2.12.

  • From the CIP-014 GTB: “A primary control center operationally controls a Transmission station or Transmission substation when the control center’s electronic actions can cause direct physical action at the identified Transmission station or Transmission substation, such as opening a breaker, as opposed to a control center that only has information from the Transmission station or Transmission substation and must coordinate direct action through another entity.”

    Additional rationale:

    Tying 1.3 to CIP-014 covers the third party review discussed by the SDT that ensures that high impact CCs are identified.  Medium Impact is then based purely on the Section 2 bright line criteria for both TO and TOP CCs.  3.1 covers all other Control Centers to meet FERC’s desire for “comprehensive protection of all control centers and control systems”.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

Thank you for the opportunity to present these concepts.

Brian Evans-Mongeon, On Behalf of: Utility Services, Inc., , Segments 4

- 0 - 0

Thank you for the opportunity to comment on this issue.

Val Ridad, On Behalf of: Silicon Valley Power, WECC, Segments 4

- 0 - 0

PPL agrees with the SDT that the current standards reflect FERC-approved language and there is currently no direction from FERC to modify the language. 

PPL would support a NERC approved process whereby a TO with a Control Center could petition their Reliability Coordinator to be classified as a Low Impact BES Asset with approval by the respective Regional Entity.  E.g. this process could be part of the new ERO Enterprise Risk Based Compliance Monitoring and Enforcement Program issued by NERC.

PPL NERC Registered Affiliates, Segment(s) 3, 1, 5, 6, 2/9/2017

- 0 - 0

WECC's position is clearly stated in items 1-7 above. WECC does not have additional comments.

Steven Rueckert, On Behalf of: Western Electricity Coordinating Council, , Segments 10

- 0 - 0

David Ramkalawan, On Behalf of: David Ramkalawan, , Segments 5

- 0 - 0

FEUS appreciates the efforts by the SDT. It is important for the SDT to respond to the TOCC and ensure small TOP’s are considered. FEUS does not support Option 2 “No further action by the SDT.” While the current language was approved through the Standards Process, the language ‘performing the functional obligations of’ became confusing and upon implementation was determined be different than initial interpretation by many Registered Entities. 

Linda Jacobson-Quinn, On Behalf of: City of Farmington, , Segments 3

- 0 - 0

Bob Case, On Behalf of: Black Hills Corporation, WECC, Segments 1, 3, 5, 6

- 0 - 0

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

(none)

Nicholas Lauriat, On Behalf of: Network and Security Technologies, , Segments 1

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Jesus Sammy Alcaraz, On Behalf of: Imperial Irrigation District, , Segments 1

- 0 - 0

Stephanie Little, On Behalf of: Stephanie Little, , Segments 1, 3, 5, 6

- 0 - 0

City Light supports APPA TAPS

Seattle City Light Ballot Body, Segment(s) 1, 4, 6, 5, 3, 12/2/2016

- 0 - 0

FirstEnergy Corporation, Segment(s) 4, 1, 3, 5, 6, 4/11/2017

- 0 - 0

Texas RE does not have additional comments.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

None

Aaron Austin, On Behalf of: Aaron Austin, , Segments 3, 5

- 0 - 0

N/A

Kara White, On Behalf of: NRG - NRG Energy, Inc., FRCC, MRO, WECC, Texas RE, NPCC, SERC, SPP RE, RF, Segments 3, 4, 5, 6

- 0 - 0

RSC no Dominion and ISO-NE, Segment(s) 1, 0, 2, 4, 5, 6, 7, 3, 4/11/2017

- 0 - 0

Si Truc Phan, On Behalf of: Hydro-Qu?bec TransEnergie, NPCC, Segments 1

- 0 - 0

Thank you for the opportunity to comment on this issue.

Small Entity Comment Group, Segment(s) 4, 3, 5, 6, 4/11/2017

- 0 - 0

Duke Energy , Segment(s) 1, 5, 6, 4/10/2014

- 0 - 0

Anthony Jablonski, On Behalf of: ReliabilityFirst , , Segments 10

- 0 - 0

FMPA supports the comments developed by APPA / TAPS which were submitted by Utility Services, Inc.

FMPA, Segment(s) , 12/5/2016

- 0 - 0

PSEG supports Edison Electric Institute’s comments.

PSEG REs, Segment(s) 5, 6, 3, 1, 3/6/2017

- 1 - 0

Yes, many of the low impact criteria for the TO CC can change with less advance notice the time needed to elevate the BES Cyber Assets from low impact to medium impact.    The TOCC criteria should allow 24 months transition from low to medium from the time of discovery.  This is consistent with the V2 and V3 implementation plan for newly classified cyber assets.

Terry Volkmann, On Behalf of: On Behalf of Small TO CC group, MRO, SERC, RF, Segments 1, 9

- 0 - 0

Brandon Cain, On Behalf of: Southern Company - Southern Company Services, Inc., SERC, Segments NA - Not Applicable

- 0 - 0

AECI thanks the SDT for its efforts to address TOCC issue.

AECI & Member G&Ts, Segment(s) 1, 6, 5, 3, 4/11/2017

- 0 - 0

Doing nothing is not an option. Smaller cooperatives are concerned that the current group of TO letters that were sent out from NERC will not satisfy FERC’s concern that the issue has been addressed and the issue has closure.

Thank you for your time and consideration.

ACES Standards Collaborators, Segment(s) 1, 3, 5, 6, 4, 4/11/2017

- 0 - 0

Wendy Center, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

The SPP Review Group suggests that the concerns could be resolved better through the NERC Registration process for categorization of the BES Cyber Systems. For example, if the BES Cyber System is used for the obligations of the TOP, but is located in the control center of a TO, the TO control center would either be Medium or High.

SPP Standards Review Group, Segment(s) , 4/11/2017

- 0 - 0

Lauren Price, On Behalf of: Lauren Price, , Segments 1

- 0 - 0

Hien Ho, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

Deborah VanDeventer, On Behalf of: Edison International - Southern California Edison Company, WECC, Segments 1, 3, 5, 6

- 0 - 0

As indicated in the comments under question 3, the language “used to perform the functional obligations” does not consider the capability of the TOCC and its related risk to the BES. 

We provide the following three modifications as an alternative for the SDT to consider in addressing the TOCC issue:

First, modify CIP-002.5.1 Attachment 1, criteria 1.3 to:

Each Control Center identified as meeting CIP-014 R1.2 (as modified by R2.3, if applicable) and any backup Control Centers to these Control Centers.

Second, modify CIP-002.5.1 Attachment 1, criterial 2.12 to:

Each Control Center or backup Control Center that operationally controls one or more of the assets that meet criterion 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10 not included in 1.3, or meets one of the following conditions:

  • A Facility that has been identified by its RC, PC, or TP as critical to the derivation of an Interconnection Reliability Operating Limit (IROL) and its associated contingencies
  • Facilities that have been identified as part of a permanent flow gate or major transfer path.

Third, to address TOP Control Center gaps left by the new criterion 1.3 and 2.12, add the following criterion:

1.5.  Each TOP Control Center not included in 1.3 and which provides operational directions to a TO Control Center meeting 1.3.

2.14.  Each TOP Control Center not included in 1.3, 1.5, and 2.12 which provides operational directions to a TO Control Center meeting 2.12.

From the CIP-014 GTB: “A primary control center operationally controls a Transmission station or Transmission substation when the control center’s electronic actions can cause direct physical action at the identified Transmission station or Transmission substation, such as opening a breaker, as opposed to a control center that only has information from the Transmission station or Transmission substation and must coordinate direct action through another entity.”

Tying 1.3 to CIP-014 covers the third party review discussed by the SDT that ensures that high impact CCs are identified.  Medium impact is then based purely on the medium impact criterion under section 2 of CIP-002-5.1 for both TO and TOP CCs; and CIP-002-5.1, section 3, part 3.1 covers all other Control Centers to meet FERC’s desire for “comprehensive protection of all control centers and control systems.”

Melanie Seader, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

The CIP-002-5.1a Standard (and possibly the NERC Glossary) should be modified to clarify all the concerns brought up with TOCC.  This whitepaper mentions many of the key concerns, but does not completely address them all.  In particular:

  • We believe the term Control Center is associated with registered entities (RC, BA, TOP, GOP), therefore a new term should be created for TOCCs (as referenced in the whitepaper), such as ‘CIP Control Facility’ or ‘TO control room’.

  • The whitepaper implies that the phrase “perform functional obligation of” should be interpreted as the BES Cyber System capability at a control facility. However, CIP-002-5.1a guidance indicates otherwise.   Clarity on this point is critical.

NYPA’s position is that the CIP Standard or NERC Glossary be revised to address the concerns raised and attempted to be addressed. Given the validity of the concerns described in the white paper and FERC Order, CIP-002-5.1a should be modified through the NERC balloting process and include an implementation schedule. The Standard’s use of “Control Center” and “perform the functions of a Transmission Operator” are terms of particular import with NERC and its registered entities, which should not be altered for convenience through any lesser form of revision.

David Rivera, On Behalf of: New York Power Authority, , Segments 1, 3, 5, 6

- 0 - 0