It has been more than a decade since the 2003 Northeast blackout that left 55 million people in the dark in the United States and Canada. The blackout was the catalyst for more stringent rules and regulations to protect the grid from another such event. Since then, the North American Electric Reliability Corporation (NERC) has been authorized by the Federal Energy Regulatory Commission (FERC) to enact and enforce rules and standards protecting the U.S. bulk power system. These rules and standards are constantly evolving, and they affect virtually everything we do in operating, maintaining and protecting the grid day to day.
Developing a culture of compliance has been a priority for us and our commitment to this was most recently reflected in the outcome of a 2014 NERC audit.
The reliability standards in place today require processes and procedures to advance the reliability and resiliency of the bulk electricity system. Noncompliance with NERC reliability standards can lead to serious financial consequences as well as reputational risk. Developing a culture of compliance has been a priority for us and our commitment to this was most recently reflected in the outcome of a 2014 NERC audit.
We engage our employees through continuous communication about their contribution to AEP’s reliability compliance. Things as simple as wearing an employee identification badge at all times and following facility access control policies, such as not allowing people to “tailgate” into buildings, are the types of actions that ensure the security of our facilities. These practices are necessary and effective in preserving the integrity of the services we provide and contribute to the safe operation of our assets.
In November 2014, AEP went through a rigorous NERC Reliability Standard Audit and Critical Infrastructure Protection (CIP) requirements review, which covers cybersecurity issues. NERC focused on 33 of 43 requirements in its audit. The audit cycle for AEP’s compliance with NERC CIP standards occurs every three years.
Auditors requested an unprecedented amount of data and conducted on-site investigations and interviews. The auditors focused on procedures and policies, specific safeguards in place to protect cyber assets and measures to prevent unauthorized physical and cyber access to transmission assets.
AEP officially received two possible violations. Auditors recognized AEP for its progress in achieving a strong compliance culture, an improvement from the feedback AEP received following a 2009 CIP audit.
The compliance arena is very fluid and we must constantly split our attention between what is required today and what might be required tomorrow. Due to this rapid development, CIP version 4 was never put into effect and preparation is already under way to transition to CIP version 5. Preparing for new more stringent standards while maintaining today’s systems and networks will be a daunting task. AEP must be fully compliant with CIP version 5 for high- and medium-risk cyber systems by the April 1, 2016 enforcement date. To manage this, we have created a governance structure to oversee the effort. We are currently reviewing standards, finalizing gap analyses and working toward implementation by the end of 2015.
In 2015, we will undergo three more audits on non-CIP standards. The focus will be on other activities we undertake to maintain reliability of the grid, including many processes such as tree trimming and protective equipment maintenance. Audits will be conducted by the PJM Interconnection, Southwest Power Pool Regional Entity, Reliability First, and the Texas Regional Entity.
Reliability Assurance Initiative
Historically, compliance with NERC standards has been based on a one-size-fits-all, zero tolerance model. That approach is changing with NERC’s implementation of the Reliability Assurance Initiative (RAI). NERC initiated RAI in 2012 as a means of shifting to a more collaborative process of identifying reliability risks and using that information to better gauge future compliance monitoring and enforcement efforts. On Feb. 19, 2015, FERC approved the transition to a risk-based approach pending some modifications. We agree that this new reliability philosophy is much more effective and efficient because it allows us to focus on higher-risk issues, thereby boosting system reliability.
With RAI, the emphasis is on reforming both the monitoring and enforcement areas of reliability regulation. Regulators want companies to monitor their own activities, detect issues when they occur, assess the risk of those issues, and correct the causes of those issues in a timely manner. This risk-based approach enhances the effectiveness of NERC’s enforcement program by focusing resources on the areas that present the greatest risk. Compliance activities include self-certifications, audits and spot checks to encourage continuous improvement of internal controls.