Due to the impact of COVID-19, the Federal Energy Regulatory Commission (FERC) approved a request by the North American Electric Reliability Corporation (NERC) to defer the implementation of reliability standards scheduled to become effective in 2020.
FERC’s approved motion represents a measure to help assure grid reliability amid the impacts posed by the COVID-19 outbreak. NERC had requested this action to provide NERC, the Regional Entities and registered entities with regulatory certainty while companies deal with the unprecedented COVID-19 public health emergency.
NERC has also stated that COVID-19 may be considered an acceptable reason on a case-by-case basis for non-compliance with Reliability Standard requirements involving periodic actions that would have been taken between March 1, 2020 and July 31, 2020. Furthermore, NERC has relaxed reliability standard PER-003-2, for the period of March 1, 2020 to Dec. 31, 2020, allowing COVID-19 impacted entities to use system operator personnel that are not NERC-certified.
Regarding sanctions, NERC has stated that it will consider the coronavirus outbreak an extenuating circumstance under its Sanction Guidelines for all instances of noncompliance where the impacts of the outbreak, such as impacts on workforce availability or the supply chain, were a cause or contributing factor to the noncompliance.
COVID-19 will undoubtedly impact many organizations’ NERC programs and the ongoing execution of reliability and compliance operations, as well as the way in which evidence of compliance is retained. As the situation continues to evolve, it’s important for organizations to look at their NERC compliance obligations and plan accordingly.
With the impacts of COVID-19 still being assessed and continuing to develop, we encourage Registered Entities to maintain compliance where feasible with existing and upcoming compliance obligations, while considering risks of losing reliable operations in light of an easing regulatory environment. Where registered entities cannot support continued compliance, timely communications with Regional Entities is required to reach alignment and maintaining documented support including rationale for any deviations is recommended. According to NERC, registered entities must report to their Regional Entity on the standards or requirements involved, details of the impact, efforts to mitigate risk, the expected timeline for mitigating the shortcoming and the cause of the shortcoming in the first place.
Maintain a COVID-19 FERC/NERC Incident Command Committee to assist with assessing risks of taking advantage of easements and establishing a plan to get back to normal operations. Registered entities should also continuously monitor skill sets present throughout the pandemic and consider engaging supplemental resources if warranted.
Identify and protect mission-critical staff, such as control center operators and instrument technicians. Physically segregate crews, disinfect frequently touched equipment, provide PPE, run temperature checks and avoid shared vehicles. Enforce other health measures where a virtual workforce isn't an option. Registered entities should also stand ready to implement advanced business continuity plans should critical personnel become exposed or ill.
Remote technology use poses a heightened cybersecurity risk, so it’s essential to analyze the adequacy of technology resources to support increased remote work —without compromising security. Registered Entities should consider enhanced training related to social engineering attacks, apply more stringent access controls, take steps to inventory and monitor remote assets, ensure continued patching and perform stress testing to identify any additional security measures that might be needed in different scenarios.
Prioritize construction and maintenance activities and assess COVID-19 impacts to ongoing operations and outage schedules. Understand existing inventories of critical equipment and supporting supply chain resources on hand and with key suppliers. Force-majeure situations have already been reported in recent weeks, so knowing your third party’s (and their third party’s) availability to provide ongoing construction, maintenance and equipment needed during the crisis should be continuously evaluated. Registered entities may also want to encourage critical small business suppliers to tap into funding available through the CARES Act.
As processes temporarily change, the underlying evidence of compliance is expected to shift as well. Determine how the design or evidence of compliance might need to be modified. For example, virtual sign-offs instead of manual signatures might be standard practice for a period of time instead of manual signatures.
Registered Entities should consider real-time adjustments to project plans in order to continue meeting NERC’s new standards, while Registered Entities proactively address hazards presented by COVID-19. The FERC-approved delays are only three to six months per standard, and deferring readiness activities until business has returned to normal operations may jeopardize the ability to meet the newly established deadlines.
Dealing with staff shortages or have questions about supportive technologies? Connect with one of our specialists in NERC, business continuity, crisis management, cybersecurity, supply chain, construction or outage management. We’re here for you.
Gavin S. Hamilton
US Energy, Utilities & Mining Assurance Leader, PwC US
Principal, Risk and Regulatory, PwC US
Digital Assurance and Transparency Partner, PwC US
Managing Director, Risk and Regulatory, PwC US
Power & Utilities IA, Compliance & Risk Leader, PwC US