CIP Version 4

Download Report

Transcript CIP Version 4

CIP Version 4
The Basics
CIP Version 4- Background
• Centers around expanded criteria for Critical
Assets
– FERC thought Risk Based Methodologies used by
entities were not uniformly applied- order 706
– Used Bright Line Criteria to have more high level
assets identified as Critical
– Kiss my Risk Based Methodology good bye
CIP Version 4- Background
• Criteria developed for the 3 major facility
classes
– Generation
– Transmission
– Control Centers
• Criteria in CIP-002-4 Attachment 1 is the basis
of the changes in version 4.
CIP-002-4 Attachment 1*
Criteria used to determine Critical Assets
* Also refer to document: CIP-002-4- Cyber Security- Critical Cyber Asset Identification Rationale and Implementation
reference Document
1.1 Generation >= 1500MWs
• Group of units at a single location with a total
of 1500MWs Net Real Power† (i.e. 1500MWs
deliverable to the interconnection)
– Single location
• In a defined physical footprint (as evident by)
–
–
–
–
–
Includes Nukes
Common fence
Common entry point
Shared common facilities
Common management organization
Similar naming convention (plant name - #)
• Connected to a single Interconnection*
*the three major electric system networks in North America: Eastern,
Western, and ERCOT. NERC Glossary- definition used when capitalized
† where multiple net Real Power Capability can be used the highest value is
judged against the Bright line criteria.
1.1 Generation >= 1500MWs (Cont.)
• Why 1500MWs?
– Taken from Contingency Reserve requirements of
BAL-002
• Makes sure BA has enough Contingency Reserves to return
Interconnection frequency back to limits following a
“Reportable Disturbance”
• The BA or Reserve Sharing Group must maintain enough
Contingency Reserve to cover the single most severe
contingency.
• 1500 MWs was derived from various BAs in the all regions as
the most significant Contingency reserves.
• Figure could be verified through MOD- 024, Verification of
Generator Gross and Net Real Power Capability which has to
be given to SPP Model Development Group
1.1 Generation >= 1500MWs (Cont.)
• Critical Cyber Assets
– Intent is to identify common mode vulnerabilities
• Identify all cyber assets that collectively control/ impact
the 1500MWs of generation.
– Cyber Assets- Programmable electronic devices and
communication networks that use a routable protocol.
Includes Hardware, Software and data.
• Need to consider all facilities and systems up to the
point where interconnected to the transmission system.
– Has to be able to impact Bulk Electric System
within 15 minutes
1.1 Generation >= 1500MWs (Cont.)
• Critical Cyber Assets (Cont.)
– Cyber Asset has to be able to impact Bulk Electric
System Operation within 15 minutes to be Critical
• More than 15 minutes should give enough time to
detect and remediate
– Example of Cyber Assets controlling the coal fuel supply for a
coal plant. May have enough time to correct situation before
it affects real time condition.
1.2 Reactive Resource >= 1000MVARs
• Single or Group of units at a single location
with a total of 1000MVARs
– Excludes Generators
– Net Reactive Power Nameplate Rating
– Single Location evident by
• Common fence
• Common entry point
• Shared common facilities
• Common management organization
• Similar naming convention (name - #)
1.3 Designated Generator
• Planning Coordinator or Transmission Planner
designates as providing an adverse impact to BES
– Within Long-term planning horizon
• Time Horizon described in NERC’s “Time Horizons”
– Defines long term planning horizon as one year or longer
– Planning Coordinator (if none designated then Trans. Planner)
• Identifies generator as a “Reliability Must Run” unit
– Must Run for reliability beyond the local area
– Not generators for Voltage Support within local area
• Not apart of generators designated as “Must Run” for market
– Examples are:
• Category C3 in TPL-003
1.3 Designated Generator (Cont.)
• Planning Coordinator or Transmission Planner
designates as providing an adverse impact to BES
– Examples are:
• Category C3 in TPL-003 – Loss of two or more elements
– Single Line to Ground (SLG) or 3 Phase Fault with Normal
Clearing of
» Generator, Transmission Circuit, Transformer or Single
Pole (dc) Line
– Manual System Adjustment
– Followed by another SLG or 3Φ fault with Normal Clearing of
» Generator, Transmission Circuit, or Transformer
– System Stable; Voltage/Thermal Limits within range
– Can shed load or curtail Firm Transfers
– No Cascading Outages
1.3 Designated Generator (Cont.)
•
Planning Coordinator or Transmission Planner designates as providing an adverse
impact to BES
– Another Example given:
• Category D in TPL-004 – Loss of two or more elements or Cascading out of service
– 3 Phase Fault with Delayed Clearing (stuck breaker or protection system)
» Generator, Transmission Circuit, Transformer or Bus Section
– 3 Phase Fault with Normal Clearing
» Breaker (failure or internal fault)
–
–
–
–
–
–
Loss of tower with 3 or more circuits
All Transmission lines in a common ROW
Loss of substation (1 voltage level and transformers)
Loss of all generation at one station
Loss of major load or major load center
Special Protection System or remedial action scheme
» Failure to operate when required
» Operation, partial operation or misoperation not intended to operate
– Disturbances in another Region
» Impact of power swings
» Oscillations
• Evaluate for Cascading outages, Substantial Customer Demand or generation loss in a
widespread area.
1.3 Designated Generator (Cont.)
• Planning Coordinator or Transmission Planner designates
as providing an adverse impact to BES
– Definitions within categories
• Normal Clearing
– Normal clearing is when the protection system operates as designed and the Fault is cleared in
the time normally expected with proper functioning of the installed protection systems.
Delayed clearing of a Fault is due to failure of any protection system component such as a relay,
circuit breaker, or current transformer, and not because of an intentional design delay.
• Planned or controlled loss of demand or curtailed Firm transfers
– Depending on system design and expected system impacts, the controlled interruption of
electric supply to customers (load shedding), the planned removal from service of certain
generators, and/or the curtailment of contracted Firm (nonrecallable reserved) electric power
transfers may be necessary to maintain the overall reliability of the interconnected transmission
systems.
• Category D Extreme Events
– A number of extreme contingencies that are listed under Category D and judged to be critical
by the transmission planning entity(ies) will be selected for evaluation. It is not expected that
all possible facility outages under each listed contingency of Category D will be evaluated.
1.4 Restoration plan BlackStart resource
- Black Start Units
- Listed in restoration plans of EOP-005-2
1.5 BlackStart Cranking Path
• BlackStart Cranking Path
– Facilities from initial switching of BlackStart unit to
• 1st interconnection point of 1st generator to be started
• Where two or more path options exits in restoration plan
Generator
1st
Generator
Cranking Path
Black Start
Unit
Path 1
Path 2
Substation
Substation
Cranking Path
Black Start
Unit
1.6 Transmission Facilities >= 500KV
• Any Transmission Facility
– At a substation
– Operated at 500KV or greater
Discussion on Collector bus‡
• Collector bus at a Non-Critical Asset Generation plant
– i.e. not aggregate of 1500MWs as in 1.1
– Operated at 500KV or greater
– Bus is considered a generation facility not transmission
– Collector bus would not be considered a Critical Asset
‡Collector bus is the low voltage side of a step-up Xfrmr
connected to a generator where real & real reactive power is
collected
1.7 Transmission Facilities >= 300KV
• Transmission Facilities operated within a substation
• Substation interconnected at >= 300KV to
• 3 or more substations
– Ensures that level of impact is deemed appropriate
Note: 300KV facilities
Critical
Asset
1.8 IROL Substation Transmission Facilities
• Designated by Reliability Coordinator (SPP), Planning
Authority, Transmission Planner
– Transmission Facilities deemed critical to derive IROLs & Associated
Contingencies
• The region and member planners determine the contingencies and conditions that
bring the system to the edge of reliable operations and then gather the values from
the model runs.
• What’s an IROL?
– Interconnection Reliability Operating Limit
• The value (e.g. MW, MVAR, Hz, etc.) derived from/ subset of the System Operating
limits* such if exceeded could lead to wide spread Bulk Electric System instability,
cascading outages, or uncontrolled separation.
*SOL (System Operating Limits) – Values by which the Bulk Electric System can be reliably
operated. Criteria/Methodologies are established to determine these limits both pre
and post contingency.
Bottom Line-> Beyond these limits the BES can’t be counted on to deliver power in a
reliable manner
1.9 Flexible AC Transmission Systems (FACTS)
• System composed of static equipment
– Used in the transmission of electrical energy
– Enhances controllability and increase power transfer capability
– Power Electronics based system
• Reliability Coordinator, Planning Authority, or Transmission
Planning has to designate them as a Critical Asset.
– Must be critical to the deviation of an IROL
– Or associated contingencies
1.10 Transmission Facilities for Gen interconnection
• Transmission Facilities for which if “something happened”* would prevent
Critical Generation from connecting to the Transmission System
– Applicable to generation at a single location >= 1500MWs (1.1)
– Generation designated by Planning Coordinator or Transmission
Planner to avoid BES adverse reliability Impacts in the long-term
planning horizon. (one year or more) (1.3)
– Ensures that Critical Generation can connect to Transmission System
Or any Critically deemed generation
Line
Line
Interconnecting
Substation
Unit 3
Line
Unit 2
Unit 1
Line
> 1500MWs
*something happened- destroyed, degraded, misused,
or otherwise rendered unavailable.. Yada yada
1.11 Transmission Facilities that interconnect Nuclear Plants
• Transmission Facilities identified as necessary to meet Nuclear
Plant Interface Requirements (NPIR)
• Based on Standard NUC-001
– Ensures the reliability of the NPIR by the coordination between the
generator owner/operator and the transmission provider
1.12 Systems that control IROL(s)
• Special Protection System(SPS), Remedial Action Scheme
(RAS), or Automated Switching System ()
• That operates Bulk Electric System Elements that if something
happened*
– Cause one or more element to exceed an IROL due to a
failure to operate as designed
» It operated outside of design parameters
» Didn’t provide the function in the proper time frame
– Compromise of these systems would have Wide Area impacts
– Want to ensure that BES operates with the IROL

Interconnection Reliability Operation Limit- Value limit that a Critical
System element may operate while maintaining system reliability.
*something happened- destroyed, degraded, misused, or
otherwise rendered unavailable.. Yada yada
1.13 Automatic Load Shedding Systems
• Any System or Facility
• Performs automatic load shedding without human initiation, even if it
requires a human to arm it
• >= 300MWs as required by regional load shedding program
– Under Voltage Load Shedding (UVLS)
– Under Frequency Load Shedding (UFLS)
– Those 300MW systems which require human arming to operate
automatically should be considered as Critical
• Why is this level lower than 1500MWs?
– The UVLS and UFLS conditions represent the last ditch efforts to save the
Bulk Electric System
1.14- 1.17 Control Centers- a few words
• Control Centers perform control functions for multiple BES
(Bulk Electric System) elements
– These facilities are deemed to be Control Centers
• Facilities that perform control functions for a single BES
element
– Considered to be apart of that asset
• Example
– Control room for a single Generation plant or Transmission
Substation
– Not considered to be a Control Center
• Control Centers that delegate functional obligations to
another location
– Are also considered to be a Control Center. (A Control Center’s functional
control center)
• Note that Data Centers not located with a control center may be
considered as essential to it operations and hence a Critical Asset
1.14 Control Centers perform functions of RC
• Each Control and Back-up Control Center
– Performs functional obligations of the Reliability Coordinator (RC)
1.15 Control Centers for Critical Generation Assets
• Each Control and Back-up Control Center
– Used to control generation at multiple locations
– Generation Control Centers that control generation assets identified in
criteria 1.1, 1.3 or 1.4
• (1.1) Generation at a single location, connected to a single
Interconnection, and has a total Net Real Power >= 1500MWs
• (1.3) Designated Generator: Planning Coordinator or Transmission
Planner deems this unit as one whose operation is necessary to
the reliable operation of the BES
• (1.4) Black Start units
1.16 Transmission Operations Control Centers
• Each Control and Back-up Control Center
– Used to carry out obligations of Transmission Operator
– Transmission Control Centers that control at least one
Transmission asset identified in criteria 1.2, 1.5 – 1.12
•
•
•
•
•
•
•
•
•
(1.2) Reactive Resources >= 1000MVARs
(1.5) Black Start Cranking Paths
(1.6) Transmission Facilities >= 500KV
(1.7) Transmission Facilities >= 300KV connected to 3 or more >=
300KV Transmission Substations
(1.8) IROL Transmission Substations
(1.9) Flexible AC Transmission Systems (FACTS)
(1.10) Transmission Facilities that interconnect Gen >= 1500MWs
(1.11) Transmission Facilities that interconnect Nuke Plants
(1.12) Systems controlling IROLs. SPS, RAS, Automatic Switching
1.17 Balancing Authority Control Centers
• Each Control and Back-up Control Center
– Used to carry out obligations of the Balancing Authority
• Balancing Authority with >=1500MWs in a single Interconnection
– Consistent with 1.1
– Balancing Authority Control Centers that control at least one asset
identified in criteria 1.1, 1.3, 1.4 or 1.13
• (1.1) Generation at a single location, connected to a single
Interconnection, and has a total Net Real Power >= 1500MWs
• (1.3) Designated Generator: Planning Coordinator or Transmission
Planner deems this unit as one whose operation is necessary to the
reliable operation of the BES
• (1.4) Black Start units
• (1.13) Automatic Load Shedding Systems >= 300MWs
QUESTIONS?