NERC: High-Impact, Low-Frequency Risks to Grid

Phil Carson | Jun 03, 2010


We've called your attention to various security risks over the past six months, notably the mundane nature of unintended consequences and the sexier topic of cyber security.

Joe Weiss, managing partner at Applied Control Solutions, talked about security in its broadest sense at Grid ComForum in San Jose in February. Weiss is a walking, talking sense of urgency; that column is here.

We've also featured the mantras and admonishments of Dave Norton, who works on cyber security at Entergy, following his talk at IEEE PES 2010 in New Orleans and a subsequent chat.

Yesterday, the North American Electric Reliability Corporation (NERC) released a report on high-impact, low-frequency events that threaten the grid. (Yes, that's "HILF.") While not terribly newsworthy, the report serves to clear the mind of daily minutiae and bring infrequently considered threats into sharper focus.

Because these mega-threats already appear on the industry's radar, the report noted, many proposals for action likewise are not new.

"HILF risks are just one part of a much larger landscape of risks and concerns facing the sector," the report acknowledged.

Nonetheless, the report urged further efforts to address these risks "in a coordinated, systematic fashion."

The three major, HILF risks identified by NERC and the U.S. Department of Energy (DOE) were articulated in a two-day workshop last November: cyber or physical coordinated attack, pandemic and geomagnetic disturbance.

Pulling a few passages from the executive summary should serve as food for thought. Given space constraints, I'd urge those who are interested to delve into the report itself, particularly in the area of risk assessment and mitigation that needs addressing.

"The risk of a coordinated cyber, physical or blended attack against the North American bulk power system has become more acute of the past 15 years as digital communication equipment has introduced cyber vulnerability into the system," the report noted, neatly delivering the smart grid angle. "Resource optimization trends have allowed some inherent physical redundancy within the system to be reduced."

"The specific concern . is the targeting of multiple key nodes on the system that, if damaged, destroyed or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria," the report continued. "Such an attack would behave very differently than traditional risks to the system, in that an intelligent attacker could mount an adaptive attack that would manipulate assets and potentially provide misleading information to system operators."

The report acknowledged that no such attack has occurred to date and suggested that NERC's Critical Infrastructure Protection (CIP) plans have helped mitigate this risk. One suggested action: the development of "forensic tools and network architectures" that support "graceful system degradation" to allow grid operators to "fly with fewer controls."

The "pandemic risk" is exactly what it sounds like: a concern that a major disease outbreak could decimate operating staff, leaving less-trained, less-experienced individuals to run power generators, address mechanical failures and restore power after outages. (Picture your correspondent at the helm of a control facility and you will never sleep again, I promise.)

The report added that while many stakeholders have plans for pandemics, the sector relies on the federal government to report on the severity and reach of an outbreak - thus "clear triggers" are needed to inform an effective response.

Geomagnetic disturbances, high-altitude electromagnetic pulse events and intentional geomagnetic interference are the third threat articulated by the DOE/NERC report.

"Geomagnetically induced currents on the system infrastructure have the potential to result in widespread tripping of key transmission lines and irreversible physical damage to large transformers," according to the report.

Detonation of a nuclear device was identified as a clear threat, as was "a coordinated attack involving intentional electromagnetic interference [that] could result in more localized and targeted impacts that may also cause significant impacts."

The report noted that replacing damaged extra-high voltage transformers could result in prolonged outages, as the procurement cycle for that equipment can run months to even years.

The nature of high-impact, low-frequency risks is insidious - they appear unlikely and even unthinkable, yet the impacts could be devastating. In the midst of writing about commercial and industrial demand response, smart meters, etc., the NERC/DOE report made me sit back and think big for a change.

Phil Carson
Intelligent Utility Daily




Related Topics


BP, the Gulf and electric utilities


You get points for connecting the dots between the BP blowout in the Gulf and the potential laxity of utilities regarding high-impact, low-frequency impacts to the grid.

That situation is the perfect underscore to NERC's report.

If anyone has ideas or specifics on how utilities may view NERC's concerns in this area, please let us know.

Regards, Phil Carson

How high is risk? How low is Frequency?


The current experience of BP, Transocean and Halliburton in the Gulf of Mexico should serve to remind us all that even low frequency risks do happen.  It is apparent that the plans these companies had in place to deal with a risk they deemed to be of low probability were totally inadequate.  Human nature leads us to underestimate both the impact and the likelyhood of a catastrophic event like an oil rig blowout.  As a result, risk mitigation plans and contingency plans are poorly developed because we believe that they will never really be called upon.  Systems that are designed to prevent the catastrophic event from occurring are not maintained which leads them to fail.  A more risk averse company would have had continual monitoring of the status of the blowout preventer and possibly regular emergency drills where the mechanism was verified if that is a possibility with this technology.  Relief wells would have been drilled in advance to ensure that in the event of a disaster, they could intercept and seal the main well in days not months.

What steps are the utilities taking in light of the lessons learned from the Gulf of Mexico to fully review their risk management portfolios and ensure that genuine, implementable risk and contingency plans exist even for events that are perceived to be low frequency?


Niall McShane