Potential CIP decision tree for PMUs

Transcription

1 Potential CIP decision tree for PMUs Questions Is the PMU used to control and/or protect high or medium classified BES equipment? If Yes, device should be classified CIP JDK Comments If any type of automated control is associated with the data or device then it makes sense that is should be classified as CIP. Dual function devices fall under CIP if the box has a protection function. Does the loss, degradation, or misuse of the synchrophasor data supplied by a PMU for greater than 15 minutes impact reliable operation of the BES? If Yes, device should be classified CIP Will the data be used by the PMU owner to make real time operational decisions within 15 minutes? If Yes and synchrophasor data will be only input in the decision making process then the device should be classified as CIP If Yes but other data sources exist that will be used to validate the data before any decisions have been made then continue Will the data be used by others (RCs, TOPs, Bas, etc..) to make real time operational decisions within 15 minutes? If Yes and synchrophasor data will be only input in the decision making process then the device should be classified as CIP If Yes but other data sources exist that will be used to validate the data before any decisions have been made then continue Will the synchrophasor data be used as an input to a state estimation application? If Yes and the loss, degradation, or misuse of the data could affect the state estimator s ability to solve then the device should be classified as CIP If Yes and the loss, degradation, or misuse of the data would not affect the state estimator s ability to solve then continue Will the synchrophasor data be used as part of situational awareness tools? Is the synchrophasor data planned to be used as part of the owner s restoration or recovery plans? If Yes and the loss of SCADA\EMS functionality is assumed such that synchrophasor data would be the sole source of information then the device should be classified as CIP If Yes and SCADA/EMS functionality is assumed and restoration and recovery would not be available in a synchrophasor only scenario then continue If No then continue If we can t survive 15 minutes without any data then I assume it should be classified as CIP If we say it is isn t CIP if other data is used to make the decision how do people track that to prove they were compliant? Might be easier to just treat it as CIP so there aren t any questions. Need to make sure the story matches how you classify the data. Can other entities force CIP status on an owner s device? Probably yes. If the data is being used for reliability purposes by others, should it be CIP and protected as such? Probably yes. Entities should be able to configure their SE applications to minimize the impacts of bad data so this should not be an issue. SE s job is to identify bad data. It depends on criticality of the input data Most entities argue that video walls/situational awareness tools are not critical to real time operations Are there other scenarios where synchrophasor data and applications will be used to operate when EMS is lost? Need to better define scope of restoration during a hurricane type event restoration may occur over days/weeks

2 Is the data used to support a Linear State Estimator [LSE] application that could be used to support the operation of BES facilities for the loss of traditional SE? If Yes, device should be classified CIP I m not sure the use of LSE without SE should force treatment as CIP.

3 Supporting Information A BES cyber asset includes in its definition, that if rendered unavailable, degraded, or misused would, within 15 minutes adversely impact the reliable operation of the BES. BES Reliability Functions - From (CIP a Cyber Security BES Cyber System Categorization) The following table provides guidance that a Responsible Entity may use to identify the BES Cyber Systems that would be in scope. The concept of BES reliability operating service is useful in providing Responsible Entities with the option of a defined process for scoping those BES Cyber Guidelines and Technical Basis Systems that would be subject to CIP a. The concept includes a number of named BES reliability operating services:

4 Question Groupings How is synchrophasor data different than SCADA data? I ve got a meter (SCADA point) and that s not classified as CIP How does the classification work for other EMS sources (all SCADA data)? Stand-alone devices that are (just) meters. It depends on the use of the data David Schooley: In terms of CIP requirements, how is PMU data different than SCADA data? MISO: From the MISO DOE project, the approach to CIP requirements for PMU data is that it should be treated the same as RTU data. What are the requirements for CIP for RTU data today? Once this is understood, then how do we extend this to synchrophasor data. What can we use synchrophasor data for without bringing CIP into the discussion? Time horizon of actions is critical in determination of CIP What happens when PMU data is one of many sources of data? Ryan Nice question on using PMU data as one of multiple sources PMUs on the control room screen(s) but no operating procedures existing just a situational awareness display only (call Ops support for further analysis) utilities are NOT classifying this as CIP o Like weather data o How do you prove that you DIDN T do anything within the timeframes (15 minutes) o Does that need to be proved that you DIDN T do anything with that data? Or would just showing that the operating procedure to make decisions does not include the data? ISO-NE: PMU data as a sole source: if the operators see an oscillation from PMU data and called operations support to confirm. However, if operations support also only has PMU data to use, assuming SCADA data didn t capture the oscillation, which is quite often, would they be able to suggest any actions within 15 minutes based on this sole data source? And in this situation, would the PMU system be required to be CIP? ISO-NE: PMU data as a tipoff: if the operators see oscillations from PMU data; however before taking any actions, they called the plant to verify. And if plant staff verified the oscillation using their internal high-sampling-rate data, would the operators be able to take actions based on the plant feedback? In this case, does the PMU system need to be CIP compliant? What if the plant couldn t verify yet PMU data clearly shows a dangerous and worsening situation (sole source situation)? If an oscillation is identified on the non-cip screen, the action is to call the Ops support and they re using PMU data to make that determination on actions, what s the classification? o Is it CIP if step is to call the plant and coordinate? o Is it CIP if step does not include calling the plant? We would like to allow the Operators to start viewing the data in the control room. If we enable synchrophasor data on control room screen(s) just for situational awareness are the source PMUs considered to be CIP devices? o Concerns that if we force CIP classification too soon it will keep people from introducing the technology to the control room where operations personnel can start to derive value

5 Costs Many comments on the costs associated with moving assets to the CIP environment Do we have a way to compute a per-unit/per-device average cost to CIP-ify a PMU (which would cover the end-to-end infrastructure)? Making a station with no high-speed communications a CIP station because of a PMU huge cost Peak: As Synchrophasor applications is supplemental means to RC function i.e. Operation can live with lower tool availability and server redundancy, compared to real-time EMS tools, can utility apply less strict CIP compliance standards than the current EMS software? If so, the cost of Synchrophasor technology implementation in control room will be reduced significantly. State Estimator Impacts State estimator? Is every SCADA point that s fed into the state estimator considered a CIP asset? If so, does that same concept hold for PMUs? If that concept is not the case, then why would it hold for PMUs? For state estimators, PJM makes an assessment on how impactful the measurements are and that s considered in the determination of whether the assets are CIP Impacts if others use data for real time decision making PJM CIP expert stated that they can only make determination of their own CIP systems, but can t enforce other entities to require their assets to be CIP. Is this the case? What if PJM is making real-time decisions using that data? How is that gap bridged? CIP classification in TO/RTO paradigm o What if the RTO is (wanting to) using PMU data for decision How does the CIP classification work in the RTO environment as a complete CIP system? If the RTO is using the data for real-time decisions, how does the classification at the TO level happen? If an oscillation is identified on the non-cip screen, the action is to call the Ops support and they re using PMU data to make that determination on actions, what s the classification? o Step is to call the plant and coordinate o Step does not include calling the plant and ISO-NE: o External PMU data: if an entity were to integrate external PMU data into its operating systems and use them for operational use, would that data also be required to be CIP compliant? Would that entity need written assurances from the data owner for guaranteed CIP and/or confidence for operational use?

6 Other Will it take a regulatory requirement to move PMUs into CIP? Floyd Galvan, Entergy Lisa Beard: What are the most vulnerable parts of PMU systems (end to end)? Can we prioritize how we spend resources to protect our investments? If not now, when do we think the timeframe will be for using synchrophasors for operational decision making? According to the FERC-NERC-Regional Entity Joint Review of Restoration and Recovery Plans Planning Restoration Absent SCADA or EMS (PRASE) report, the committee recommends having phasor SE and produces one-line display to operators during system restorations. The use of PMU data as a backup data source absent SCADA/EMS during system restoration or normal operations also raises the CIP compliance question. Frankie Dominion devices are CIP, central devices (PDCs) are not CIP. Two separate environments for CIP and non-cip (depending on if data is coming from CIP device (relay) or non-cip device (DFR). PJM bulletin on CIP compliance for PMUs (compliance bulletin #19). Should we dig deeper into this? EPG: CIP requirements for cloud deployment of WAMS, simulation software, etc. How to deal with these? Medium vs. high impact stations and how does that play into the determination of CIP? o Going to vary a lot based on interpretation of requirements, internal controls, etc. o Depends on retrofit vs. initial implementation (e.g., cabinet with card reader) SPP: Based on the SMS CIP discussion today, I wanted to pass along our PMU Members Planning document which contains a CIP Considerations section. This is still a draft document and it is slated to be reviewed by the SPP Reliability Compliance Working Group in June. As the disclaimer states, this is being developed only to help our TOs better understand the related CIP standards and help provide them with additional information. This document should count for at least one question for Mike and I. :)

7

8