I’ve been looking over the NERC CIP v5 lately, because of a few discussions I’ve had over the past week. Mainly, it’s been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a “Unit Split”. A Unit Split involves taking a generation plant that meets the 1500 MW rule, and carving up the control systems so that no single BES cyber system can cause a reliability issue in 15 minutes. For once, I’m not here to soapbox about what’s in and what’s out, this is more of an engineering discussion.
First, owners need to be aware that they are trading compliance with the expensive, but reasonably bounded, NERC CIP process with a much less bounded risk assessment and control system analysis process. What do I mean? Once past the initial determination stage, NERC CIP focuses exclusively on cyber security, and doesn’t get into the details of equipment, processes, signaling, etc. Owners are held to only the NERC CIP requirements, and secondary considerations outside of the cyber security realm are minimal. However, eliminating systems from consideration is based upon an engineering assessment of what components can have an impact on 1500 MW of generation. This assessment is much more open ended, and brings in areas not normally part of the NERC CIP process. Some tasks I can envision would be:
- Tracing of common equipment signalling cables to the controllers, to identify capability to affect >1500 MW of operation from a system reserved for less-than 1500 MW operations. I’m most concerned about things like switchgear and other breaker operation, vibration monitoring, switchyard controls, fuel control, and a few others falling into this category
- Identifying common system logic that relies on inputs from the unit logic, in such a way that there is a dependency that could affect >1500 MW. The obvious candidate to check here is instrument air and vibration, but I’m sure there are site-specific examples out there.
Splitting units into separate entities is not always simple exercise in network segmentation. While it may initially look extremely straightforward when looking at a Network Architecture diagram, there is more going on behind the scenes. For instance, the 4-20 ma signalling coming out of each controller must be analyzed for it’s ability to bring down 1500 MW. All the logic in the system must be examined for potential to cause a 1500 MW loss. If the potential exists, that logic must be redesigned to limit the impact. That might be a lot of logic, especially if signals from your common systems (water supply, fuel supply, switchyard, a few others) are simply going to nearest controller, instead of being routed to controllers only associated with a common unit.
Second, what happens when dependencies that could affect >1500 MW are identified? Those controls have to be redesigned and cabling rerouted to remove the dependency, or at least limit the impact below 1500 MW. Redesigning parts of a control system to completely prevent one system from impacting another related system is difficult (just ask our brothers and sisters in nuclear power, who still struggle with it). It’s been one of the historical advantages of non-nuclear power that all the controls can be brought into a monolithic DCS for use in any imaginable logic configuration. We’re now talking about removing that that functionality and advantage, which will require time, money, and expertise, and not just in capital project money. O&M budgets could be affected, since signals that were once available for immediate use within the control system may no longer be available, limiting control system flexibility.
Last, it might be inevitable to have common systems that can affect 1500 MW at a particular site. Assuming those control systems can be segregated from non-critical systems, what then? Owners may have a NERC CIP compliance responsibility for those common systems, so what was gained? Some physical security and network security infrastructure isn’t needed, there is a potential reduction in paperwork and monitoring, but many of the systems necessary to meet the NERC CIP requirements would still need to be procured, security activities according to NERC CIP would need to be carried out, significant training and background checks… And auditors still get to visit.
So where is the gain? If the split process is backed up by a limited common unit dependency that is already present, there may be a gain. If the plant is older, and has few actual control systems (or is going through the process of adding control systems), then there may be a gain as the design cost can be rolled into upgrades and O&M costs would be similiar. Of course, these are plants which already have historically low NERC CIP concerns anyway.
As always, viewers are welcome to discuss in the comments.
Title Image by srv0